Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EQ5Vcf19u8.exe

Overview

General Information

Sample name:EQ5Vcf19u8.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:9fbf70243a3e4aca45a6d0af87749833e506c5a3eacdbc449525bc5f62835ba6
Analysis ID:1579844
MD5:849f1e782aef6fc885225f115db43236
SHA1:2e790be949272e97d9fd71b7a6ea34140f08fb16
SHA256:9fbf70243a3e4aca45a6d0af87749833e506c5a3eacdbc449525bc5f62835ba6
Infos:

Detection

Socks5Systemz
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Yara detected Socks5Systemz
AI detected suspicious sample
Contains functionality to infect the boot sector
Found API chain indicative of debugger detection
Machine Learning detection for dropped file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • EQ5Vcf19u8.exe (PID: 6284 cmdline: "C:\Users\user\Desktop\EQ5Vcf19u8.exe" MD5: 849F1E782AEF6FC885225F115DB43236)
    • EQ5Vcf19u8.tmp (PID: 6524 cmdline: "C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp" /SL5="$1041E,3086842,56832,C:\Users\user\Desktop\EQ5Vcf19u8.exe" MD5: BCF2F0322A00DC0DE9B0CAE39438B480)
      • classichomecinema.exe (PID: 6568 cmdline: "C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe" -i MD5: 765448A33166E70D7C75392D7E8FC161)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-ECB74.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
          00000002.00000000.1677490068.0000000000401000.00000020.00000001.01000000.00000009.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000002.00000002.2922331193.0000000002ACD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security
              00000001.00000002.2922409932.0000000005A00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                Process Memory Space: classichomecinema.exe PID: 6568JoeSecurity_Socks5SystemzYara detected Socks5SystemzJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  2.0.classichomecinema.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-23T11:40:55.945834+010020287653Unknown Traffic192.168.2.449736188.119.66.185443TCP
                    2024-12-23T11:40:58.200438+010020287653Unknown Traffic192.168.2.449737188.119.66.185443TCP
                    2024-12-23T11:41:03.725747+010020287653Unknown Traffic192.168.2.449746188.119.66.185443TCP
                    2024-12-23T11:41:06.213178+010020287653Unknown Traffic192.168.2.449752188.119.66.185443TCP
                    2024-12-23T11:41:08.777176+010020287653Unknown Traffic192.168.2.449759188.119.66.185443TCP
                    2024-12-23T11:41:11.042483+010020287653Unknown Traffic192.168.2.449765188.119.66.185443TCP
                    2024-12-23T11:41:13.475292+010020287653Unknown Traffic192.168.2.449771188.119.66.185443TCP
                    2024-12-23T11:41:15.727046+010020287653Unknown Traffic192.168.2.449777188.119.66.185443TCP
                    2024-12-23T11:41:17.992801+010020287653Unknown Traffic192.168.2.449783188.119.66.185443TCP
                    2024-12-23T11:41:20.447585+010020287653Unknown Traffic192.168.2.449789188.119.66.185443TCP
                    2024-12-23T11:41:22.849718+010020287653Unknown Traffic192.168.2.449800188.119.66.185443TCP
                    2024-12-23T11:41:25.121094+010020287653Unknown Traffic192.168.2.449806188.119.66.185443TCP
                    2024-12-23T11:41:27.493734+010020287653Unknown Traffic192.168.2.449811188.119.66.185443TCP
                    2024-12-23T11:41:30.106748+010020287653Unknown Traffic192.168.2.449817188.119.66.185443TCP
                    2024-12-23T11:41:32.381326+010020287653Unknown Traffic192.168.2.449823188.119.66.185443TCP
                    2024-12-23T11:41:34.807359+010020287653Unknown Traffic192.168.2.449829188.119.66.185443TCP
                    2024-12-23T11:41:37.055328+010020287653Unknown Traffic192.168.2.449835188.119.66.185443TCP
                    2024-12-23T11:41:39.562425+010020287653Unknown Traffic192.168.2.449841188.119.66.185443TCP
                    2024-12-23T11:41:41.875564+010020287653Unknown Traffic192.168.2.449847188.119.66.185443TCP
                    2024-12-23T11:41:44.250375+010020287653Unknown Traffic192.168.2.449853188.119.66.185443TCP
                    2024-12-23T11:41:46.507483+010020287653Unknown Traffic192.168.2.449858188.119.66.185443TCP
                    2024-12-23T11:41:48.757872+010020287653Unknown Traffic192.168.2.449864188.119.66.185443TCP
                    2024-12-23T11:41:51.200303+010020287653Unknown Traffic192.168.2.449870188.119.66.185443TCP
                    2024-12-23T11:41:53.590553+010020287653Unknown Traffic192.168.2.449881188.119.66.185443TCP
                    2024-12-23T11:41:56.095549+010020287653Unknown Traffic192.168.2.449887188.119.66.185443TCP
                    2024-12-23T11:41:58.350485+010020287653Unknown Traffic192.168.2.449893188.119.66.185443TCP
                    2024-12-23T11:42:00.749705+010020287653Unknown Traffic192.168.2.449899188.119.66.185443TCP
                    2024-12-23T11:42:03.097260+010020287653Unknown Traffic192.168.2.449905188.119.66.185443TCP
                    2024-12-23T11:42:05.481336+010020287653Unknown Traffic192.168.2.449911188.119.66.185443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-23T11:40:56.621365+010028032742Potentially Bad Traffic192.168.2.449736188.119.66.185443TCP
                    2024-12-23T11:40:58.893654+010028032742Potentially Bad Traffic192.168.2.449737188.119.66.185443TCP
                    2024-12-23T11:41:04.444986+010028032742Potentially Bad Traffic192.168.2.449746188.119.66.185443TCP
                    2024-12-23T11:41:06.895357+010028032742Potentially Bad Traffic192.168.2.449752188.119.66.185443TCP
                    2024-12-23T11:41:09.464307+010028032742Potentially Bad Traffic192.168.2.449759188.119.66.185443TCP
                    2024-12-23T11:41:11.723184+010028032742Potentially Bad Traffic192.168.2.449765188.119.66.185443TCP
                    2024-12-23T11:41:14.155716+010028032742Potentially Bad Traffic192.168.2.449771188.119.66.185443TCP
                    2024-12-23T11:41:16.412756+010028032742Potentially Bad Traffic192.168.2.449777188.119.66.185443TCP
                    2024-12-23T11:41:18.675906+010028032742Potentially Bad Traffic192.168.2.449783188.119.66.185443TCP
                    2024-12-23T11:41:21.172790+010028032742Potentially Bad Traffic192.168.2.449789188.119.66.185443TCP
                    2024-12-23T11:41:23.533961+010028032742Potentially Bad Traffic192.168.2.449800188.119.66.185443TCP
                    2024-12-23T11:41:25.859838+010028032742Potentially Bad Traffic192.168.2.449806188.119.66.185443TCP
                    2024-12-23T11:41:28.320207+010028032742Potentially Bad Traffic192.168.2.449811188.119.66.185443TCP
                    2024-12-23T11:41:30.810361+010028032742Potentially Bad Traffic192.168.2.449817188.119.66.185443TCP
                    2024-12-23T11:41:33.127201+010028032742Potentially Bad Traffic192.168.2.449823188.119.66.185443TCP
                    2024-12-23T11:41:35.490294+010028032742Potentially Bad Traffic192.168.2.449829188.119.66.185443TCP
                    2024-12-23T11:41:37.736302+010028032742Potentially Bad Traffic192.168.2.449835188.119.66.185443TCP
                    2024-12-23T11:41:40.243679+010028032742Potentially Bad Traffic192.168.2.449841188.119.66.185443TCP
                    2024-12-23T11:41:42.558506+010028032742Potentially Bad Traffic192.168.2.449847188.119.66.185443TCP
                    2024-12-23T11:41:44.941050+010028032742Potentially Bad Traffic192.168.2.449853188.119.66.185443TCP
                    2024-12-23T11:41:47.187955+010028032742Potentially Bad Traffic192.168.2.449858188.119.66.185443TCP
                    2024-12-23T11:41:49.440777+010028032742Potentially Bad Traffic192.168.2.449864188.119.66.185443TCP
                    2024-12-23T11:41:51.885331+010028032742Potentially Bad Traffic192.168.2.449870188.119.66.185443TCP
                    2024-12-23T11:41:54.361600+010028032742Potentially Bad Traffic192.168.2.449881188.119.66.185443TCP
                    2024-12-23T11:41:56.780016+010028032742Potentially Bad Traffic192.168.2.449887188.119.66.185443TCP
                    2024-12-23T11:41:59.033747+010028032742Potentially Bad Traffic192.168.2.449893188.119.66.185443TCP
                    2024-12-23T11:42:01.508704+010028032742Potentially Bad Traffic192.168.2.449899188.119.66.185443TCP
                    2024-12-23T11:42:03.778164+010028032742Potentially Bad Traffic192.168.2.449905188.119.66.185443TCP
                    2024-12-23T11:42:06.180567+010028032742Potentially Bad Traffic192.168.2.449911188.119.66.185443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeJoe Sandbox ML: detected
                    Source: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0045D188 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,1_2_0045D188
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0045D254 ArcFourCrypt,1_2_0045D254
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0045D23C ArcFourCrypt,1_2_0045D23C
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_10001000 ISCryptGetVersion,1_2_10001000
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_10001130 ArcFourCrypt,1_2_10001130

                    Compliance

                    barindex
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeUnpacked PE file: 2.2.classichomecinema.exe.400000.0.unpack
                    Source: EQ5Vcf19u8.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Classic Home Cinema_is1Jump to behavior
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49736 version: TLS 1.2
                    Source: Binary string: msvcp71.pdbx# source: is-I1A51.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-TKKA3.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-I1A51.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-8UHFM.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-TKKA3.tmp.1.dr
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: global trafficTCP traffic: 192.168.2.4:49739 -> 31.214.157.206:2024
                    Source: Joe Sandbox ViewIP Address: 31.214.157.206 31.214.157.206
                    Source: Joe Sandbox ViewIP Address: 188.119.66.185 188.119.66.185
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49771 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49736 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49765 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49737 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49777 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49811 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49746 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49759 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49783 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49806 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49817 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49829 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49823 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49835 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49853 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49870 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49881 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49789 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49893 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49847 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49887 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49858 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49911 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49899 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49905 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49864 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49800 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49841 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49771 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49765 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49759 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49783 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49777 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49811 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49746 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49858 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49736 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49853 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49800 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49911 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49752 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49841 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49829 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49817 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49789 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49887 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49847 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49823 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49893 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49881 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49905 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49899 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49835 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49870 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49806 -> 188.119.66.185:443
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49864 -> 188.119.66.185:443
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2119d7368d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2119d7368d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 31.214.157.206
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: unknownTCP traffic detected without corresponding DNS query: 188.119.66.185
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B72B95 WSASetLastError,WSARecv,WSASetLastError,select,2_2_02B72B95
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2119d7368d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2119d7368d HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: global trafficHTTP traffic detected: GET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)Host: 188.119.66.185
                    Source: EQ5Vcf19u8.tmp, EQ5Vcf19u8.tmp, 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-EVEJS.tmp.1.drString found in binary or memory: http://www.innosetup.com/
                    Source: EQ5Vcf19u8.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
                    Source: EQ5Vcf19u8.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                    Source: EQ5Vcf19u8.exe, 00000000.00000003.1665138634.0000000002310000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1665283513.00000000020C8000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, EQ5Vcf19u8.tmp, 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-EVEJS.tmp.1.drString found in binary or memory: http://www.remobjects.com/ps
                    Source: EQ5Vcf19u8.exe, 00000000.00000003.1665138634.0000000002310000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1665283513.00000000020C8000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-EVEJS.tmp.1.drString found in binary or memory: http://www.remobjects.com/psU
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/.$g
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/5$n
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/6U
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/;$p
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/A$
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/E059080EF4409BC0D96FBCBDDEEE6C0AFBE871ADbT
                    Source: classichomecinema.exe, 00000002.00000002.2921548247.0000000000944000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4
                    Source: classichomecinema.exe, 00000002.00000002.2921548247.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/en-GB
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/icies
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/ography
                    Source: classichomecinema.exe, 00000002.00000002.2921548247.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/priseCertificates
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/z$
                    Source: classichomecinema.exe, 00000002.00000002.2921548247.000000000093A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://188.119.66.185/z;j#
                    Source: EQ5Vcf19u8.exe, 00000000.00000002.2921525263.00000000020C1000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1664823524.00000000020C1000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1664751497.0000000002310000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000003.1666845058.0000000003230000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000002.2921911369.0000000002278000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000002.2921584585.0000000000602000.00000004.00000020.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000003.1666946097.0000000002278000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.easycutstudio.com/support.html
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49893
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49771
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49858 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49893 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49911 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49905 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49887
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49911
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49887 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49870
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49870 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49905
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49771 -> 443
                    Source: unknownHTTPS traffic detected: 188.119.66.185:443 -> 192.168.2.4:49736 version: TLS 1.2
                    Source: is-8UHFM.tmp.1.drBinary or memory string: DirectDrawCreateExmemstr_9b1f6cbe-d
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0042F520 NtdllDefWindowProc_A,1_2_0042F520
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00423B84 NtdllDefWindowProc_A,1_2_00423B84
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004125D8 NtdllDefWindowProc_A,1_2_004125D8
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00478AC0 NtdllDefWindowProc_A,1_2_00478AC0
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00457594 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,1_2_00457594
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0042E934: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,1_2_0042E934
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_0040840C0_2_0040840C
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004706A81_2_004706A8
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004809F71_2_004809F7
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004352C81_2_004352C8
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004673A41_2_004673A4
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0043DD501_2_0043DD50
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0043035C1_2_0043035C
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004444C81_2_004444C8
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004345C41_2_004345C4
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00444A701_2_00444A70
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00486BD01_2_00486BD0
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00430EE81_2_00430EE8
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0045F0C41_2_0045F0C4
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004451681_2_00445168
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0045B1741_2_0045B174
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004694041_2_00469404
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004455741_2_00445574
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004519BC1_2_004519BC
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00487B301_2_00487B30
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0048DF541_2_0048DF54
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_004010002_2_00401000
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_004067B72_2_004067B7
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609660FA2_2_609660FA
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6092114F2_2_6092114F
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6091F2C92_2_6091F2C9
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096923E2_2_6096923E
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6093323D2_2_6093323D
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6095C3142_2_6095C314
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609503122_2_60950312
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094D33B2_2_6094D33B
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6093B3682_2_6093B368
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096748C2_2_6096748C
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6093F42E2_2_6093F42E
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609544702_2_60954470
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609615FA2_2_609615FA
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096A5EE2_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096D6A42_2_6096D6A4
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609606A82_2_609606A8
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609326542_2_60932654
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609556652_2_60955665
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094B7DB2_2_6094B7DB
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6092F74D2_2_6092F74D
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609648072_2_60964807
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094E9BC2_2_6094E9BC
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609379292_2_60937929
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6093FAD62_2_6093FAD6
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096DAE82_2_6096DAE8
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094DA3A2_2_6094DA3A
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60936B272_2_60936B27
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60954CF62_2_60954CF6
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60950C6B2_2_60950C6B
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60966DF12_2_60966DF1
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60963D352_2_60963D35
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60909E9C2_2_60909E9C
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60951E862_2_60951E86
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60912E0B2_2_60912E0B
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60954FF82_2_60954FF8
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02BAF21D2_2_02BAF21D
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02BB00102_2_02BB0010
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02BA94B32_2_02BA94B3
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B8BAED2_2_02B8BAED
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B8D31F2_2_02B8D31F
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B870B02_2_02B870B0
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B7E0792_2_02B7E079
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B9266D2_2_02B9266D
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B8873A2_2_02B8873A
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B8BF052_2_02B8BF05
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B90DA42_2_02B90DA4
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B8B5F92_2_02B8B5F9
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\ClassicHomeCinema\sqlite3.dll 16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: String function: 02B92A00 appears 134 times
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: String function: 02B87750 appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 00408C0C appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 00406AC4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 0040595C appears 117 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 00457F1C appears 73 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 00403400 appears 60 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 00445DD4 appears 45 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 00457D10 appears 96 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 004344DC appears 32 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 004078F4 appears 43 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 00403494 appears 83 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 00403684 appears 225 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 00453344 appears 97 times
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: String function: 004460A4 appears 59 times
                    Source: EQ5Vcf19u8.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: EQ5Vcf19u8.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: EQ5Vcf19u8.tmp.0.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: classichomecinema.exe.1.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                    Source: is-EVEJS.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                    Source: is-EVEJS.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                    Source: is-EVEJS.tmp.1.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
                    Source: ClassicHomeCinema.exe.2.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                    Source: is-5CNOU.tmp.1.drStatic PE information: Number of sections : 19 > 10
                    Source: sqlite3.dll.2.drStatic PE information: Number of sections : 19 > 10
                    Source: EQ5Vcf19u8.exe, 00000000.00000003.1665138634.0000000002310000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs EQ5Vcf19u8.exe
                    Source: EQ5Vcf19u8.exe, 00000000.00000003.1665283513.00000000020C8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs EQ5Vcf19u8.exe
                    Source: EQ5Vcf19u8.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                    Source: classification engineClassification label: mal80.troj.evad.winEXE@5/26@0/2
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B7F8C0 FormatMessageA,GetLastError,FormatMessageA,GetLastError,2_2_02B7F8C0
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_00409448
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004555E4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004555E4
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00455E0C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,1_2_00455E0C
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: CreateServiceA,2_2_004021BD
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0046E0E4 GetVersion,CoCreateInstance,1_2_0046E0E4
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_00409C34 FindResourceA,SizeofResource,LoadResource,LockResource,0_2_00409C34
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_0040D758 StartServiceCtrlDispatcherA,2_2_0040D758
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_0040D758 StartServiceCtrlDispatcherA,2_2_0040D758
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeFile created: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmpJump to behavior
                    Source: Yara matchFile source: 2.0.classichomecinema.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000000.1677490068.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2922409932.0000000005A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-ECB74.tmp, type: DROPPED
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile read: C:\Windows\win.iniJump to behavior
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                    Source: classichomecinema.exe, classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: classichomecinema.exe, classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                    Source: classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                    Source: classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: classichomecinema.exe, classichomecinema.exe, 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmp, sqlite3.dll.2.dr, is-5CNOU.tmp.1.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: EQ5Vcf19u8.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
                    Source: EQ5Vcf19u8.exeString found in binary or memory: /LOADINF="filename"
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeFile read: C:\Users\user\Desktop\EQ5Vcf19u8.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\EQ5Vcf19u8.exe "C:\Users\user\Desktop\EQ5Vcf19u8.exe"
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp "C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp" /SL5="$1041E,3086842,56832,C:\Users\user\Desktop\EQ5Vcf19u8.exe"
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe "C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe" -i
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeProcess created: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp "C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp" /SL5="$1041E,3086842,56832,C:\Users\user\Desktop\EQ5Vcf19u8.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe "C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe" -iJump to behavior
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: msacm32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: winmmbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: explorerframe.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: sfc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: sqlite3.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpWindow found: window name: TMainFormJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Classic Home Cinema_is1Jump to behavior
                    Source: EQ5Vcf19u8.exeStatic file information: File size 3335813 > 1048576
                    Source: Binary string: msvcp71.pdbx# source: is-I1A51.tmp.1.dr
                    Source: Binary string: msvcr71.pdb< source: is-TKKA3.tmp.1.dr
                    Source: Binary string: msvcp71.pdb source: is-I1A51.tmp.1.dr
                    Source: Binary string: MicrosoftWindowsGdiPlus-1.0.2600.1360-gdiplus.pdb source: is-8UHFM.tmp.1.dr
                    Source: Binary string: msvcr71.pdb source: is-TKKA3.tmp.1.dr

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeUnpacked PE file: 2.2.classichomecinema.exe.400000.0.unpack .amtt4:ER;.antt4:R;.aott4:W;.rsrc:R;.aptt4:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
                    Detected unpacking (overwrites its own PE header)
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeUnpacked PE file: 2.2.classichomecinema.exe.400000.0.unpack
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .amtt4
                    Source: classichomecinema.exe.1.drStatic PE information: section name: .amtt4
                    Source: classichomecinema.exe.1.drStatic PE information: section name: .antt4
                    Source: classichomecinema.exe.1.drStatic PE information: section name: .aott4
                    Source: classichomecinema.exe.1.drStatic PE information: section name: .aptt4
                    Source: is-8UHFM.tmp.1.drStatic PE information: section name: Shared
                    Source: is-5CNOU.tmp.1.drStatic PE information: section name: /4
                    Source: is-5CNOU.tmp.1.drStatic PE information: section name: /19
                    Source: is-5CNOU.tmp.1.drStatic PE information: section name: /35
                    Source: is-5CNOU.tmp.1.drStatic PE information: section name: /51
                    Source: is-5CNOU.tmp.1.drStatic PE information: section name: /63
                    Source: is-5CNOU.tmp.1.drStatic PE information: section name: /77
                    Source: is-5CNOU.tmp.1.drStatic PE information: section name: /89
                    Source: is-5CNOU.tmp.1.drStatic PE information: section name: /102
                    Source: is-5CNOU.tmp.1.drStatic PE information: section name: /113
                    Source: is-5CNOU.tmp.1.drStatic PE information: section name: /124
                    Source: ClassicHomeCinema.exe.2.drStatic PE information: section name: .amtt4
                    Source: ClassicHomeCinema.exe.2.drStatic PE information: section name: .antt4
                    Source: ClassicHomeCinema.exe.2.drStatic PE information: section name: .aott4
                    Source: ClassicHomeCinema.exe.2.drStatic PE information: section name: .aptt4
                    Source: sqlite3.dll.2.drStatic PE information: section name: /4
                    Source: sqlite3.dll.2.drStatic PE information: section name: /19
                    Source: sqlite3.dll.2.drStatic PE information: section name: /35
                    Source: sqlite3.dll.2.drStatic PE information: section name: /51
                    Source: sqlite3.dll.2.drStatic PE information: section name: /63
                    Source: sqlite3.dll.2.drStatic PE information: section name: /77
                    Source: sqlite3.dll.2.drStatic PE information: section name: /89
                    Source: sqlite3.dll.2.drStatic PE information: section name: /102
                    Source: sqlite3.dll.2.drStatic PE information: section name: /113
                    Source: sqlite3.dll.2.drStatic PE information: section name: /124
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_004065C8 push 00406605h; ret 0_2_004065FD
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_004040B5 push eax; ret 0_2_004040F1
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_00408104 push ecx; mov dword ptr [esp], eax0_2_00408109
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_00404185 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_00404206 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_0040C218 push eax; ret 0_2_0040C219
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_004042E8 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_00404283 push 00404391h; ret 0_2_00404389
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_00408F38 push 00408F6Bh; ret 0_2_00408F63
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0040994C push 00409989h; ret 1_2_00409981
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00483F88 push 00484096h; ret 1_2_0048408E
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004062B4 push ecx; mov dword ptr [esp], eax1_2_004062B5
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004104E0 push ecx; mov dword ptr [esp], edx1_2_004104E5
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00412928 push 0041298Bh; ret 1_2_00412983
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00494CAC push ecx; mov dword ptr [esp], ecx1_2_00494CB1
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0040CE38 push ecx; mov dword ptr [esp], edx1_2_0040CE3A
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004592D0 push 00459314h; ret 1_2_0045930C
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0040F398 push ecx; mov dword ptr [esp], edx1_2_0040F39A
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00443440 push ecx; mov dword ptr [esp], ecx1_2_00443444
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0040546D push eax; ret 1_2_004054A9
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0040553D push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004055BE push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00485678 push ecx; mov dword ptr [esp], ecx1_2_0048567D
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0040563B push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004056A0 push 00405749h; ret 1_2_00405741
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004517F8 push 0045182Bh; ret 1_2_00451823
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004519BC push ecx; mov dword ptr [esp], eax1_2_004519C1
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00477B08 push ecx; mov dword ptr [esp], edx1_2_00477B09
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00419C28 push ecx; mov dword ptr [esp], ecx1_2_00419C2D
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0045FD1C push ecx; mov dword ptr [esp], ecx1_2_0045FD20
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00499D30 pushad ; retf 1_2_00499D3F
                    Source: classichomecinema.exe.1.drStatic PE information: section name: .amtt4 entropy: 7.750849017599865
                    Source: ClassicHomeCinema.exe.2.drStatic PE information: section name: .amtt4 entropy: 7.750849017599865

                    Persistence and Installation Behavior

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_02B7E8A2
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-I1A51.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-8UHFM.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeFile created: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeFile created: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-IIV8R.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeFile created: C:\ProgramData\ClassicHomeCinema\sqlite3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\is-EVEJS.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\sqlite3.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-5CNOU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-TKKA3.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpFile created: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeFile created: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeFile created: C:\ProgramData\ClassicHomeCinema\sqlite3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Contains functionality to infect the boot sector
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive02_2_02B7E8A2
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_0040D758 StartServiceCtrlDispatcherA,2_2_0040D758
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00423C0C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,1_2_00423C0C
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004241DC IsIconic,SetActiveWindow,SetFocus,1_2_004241DC
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00424194 IsIconic,SetActiveWindow,1_2_00424194
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00418384 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,1_2_00418384
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0042285C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,1_2_0042285C
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00417598 IsIconic,GetCapture,1_2_00417598
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0048393C IsIconic,GetWindowLongA,ShowWindow,ShowWindow,1_2_0048393C
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00417CCE IsIconic,SetWindowPos,1_2_00417CCE
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00417CD0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,1_2_00417CD0
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0041F118 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,1_2_0041F118
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60920C91 rdtsc 2_2_60920C91
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,2_2_02B7E9A6
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeWindow / User API: threadDelayed 9681Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_setup64.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-8UHFM.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_shfoldr.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-I1A51.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcr71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\unins000.exe (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-IIV8R.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\is-EVEJS.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcp71.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_iscrypt.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\gdiplus.dll (copy)Jump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-5CNOU.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-TKKA3.tmpJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.dll (copy)Jump to dropped file
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_0-5972
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_2-61011
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeAPI coverage: 5.3 %
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe TID: 6564Thread sleep count: 244 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe TID: 6564Thread sleep time: -488000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe TID: 5468Thread sleep time: -1140000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe TID: 6564Thread sleep count: 9681 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe TID: 6564Thread sleep time: -19362000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00452A60 FindFirstFileA,GetLastError,1_2_00452A60
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00474F88 FindFirstFileA,FindNextFileA,FindClose,1_2_00474F88
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004980A4 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,1_2_004980A4
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00464158 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00464158
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00462750 FindFirstFileA,FindNextFileA,FindClose,1_2_00462750
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00463CDC SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,1_2_00463CDC
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_00409B78 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_00409B78
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeThread delayed: delay time: 60000Jump to behavior
                    Source: classichomecinema.exe, 00000002.00000002.2921548247.0000000000858000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP/
                    Source: classichomecinema.exe, 00000002.00000002.2922784801.00000000032F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeAPI call chain: ExitProcess graph end nodegraph_0-6769
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeAPI call chain: ExitProcess graph end nodegraph_2-61211
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Found API chain indicative of debugger detection
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_2-60906
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60920C91 rdtsc 2_2_60920C91
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B880F0 IsDebuggerPresent,2_2_02B880F0
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B8E6AE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,2_2_02B8E6AE
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004502C0 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_004502C0
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B75E59 RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,2_2_02B75E59
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B880DA SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_02B880DA
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_00478504 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,1_2_00478504
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0042E09C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,1_2_0042E09C
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_02B7E85A cpuid 2_2_02B7E85A
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: GetLocaleInfoA,0_2_0040520C
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: GetLocaleInfoA,0_2_00405258
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: GetLocaleInfoA,1_2_00408568
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: GetLocaleInfoA,1_2_004085B4
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_004585C8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,1_2_004585C8
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_004026C4 GetSystemTime,0_2_004026C4
                    Source: C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmpCode function: 1_2_0045559C GetUserNameA,1_2_0045559C
                    Source: C:\Users\user\Desktop\EQ5Vcf19u8.exeCode function: 0_2_00405CF4 GetVersionExA,0_2_00405CF4

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Socks5Systemz
                    Source: Yara matchFile source: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2922331193.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: classichomecinema.exe PID: 6568, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Socks5Systemz
                    Source: Yara matchFile source: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2922331193.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: classichomecinema.exe PID: 6568, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609660FA sqlite3_finalize,sqlite3_free,sqlite3_value_numeric_type,sqlite3_value_numeric_type,sqlite3_value_text,sqlite3_value_int,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_mprintf,sqlite3_malloc,sqlite3_free,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,2_2_609660FA
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6090C1D6 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,2_2_6090C1D6
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60963143 sqlite3_stricmp,sqlite3_bind_int64,sqlite3_mutex_leave,2_2_60963143
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096A2BD sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,2_2_6096A2BD
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096923E sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_malloc,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_realloc,sqlite3_realloc,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,2_2_6096923E
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096A38C sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,2_2_6096A38C
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096748C sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_reset,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_malloc,sqlite3_bind_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_reset,memcmp,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_column_int,sqlite3_reset,sqlite3_step,sqlite3_column_int64,sqlite3_reset,sqlite3_bind_int64,sqlite3_realloc,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,2_2_6096748C
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609254B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,2_2_609254B1
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094B407 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,2_2_6094B407
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6090F435 sqlite3_bind_parameter_index,2_2_6090F435
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609255D4 sqlite3_mutex_leave,sqlite3_bind_text16,2_2_609255D4
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609255FF sqlite3_bind_text,2_2_609255FF
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096A5EE sqlite3_value_text,sqlite3_value_bytes,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_malloc,sqlite3_column_int,sqlite3_column_int64,sqlite3_column_text,sqlite3_column_bytes,sqlite3_finalize,sqlite3_step,sqlite3_free,sqlite3_finalize,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_column_int,sqlite3_step,sqlite3_reset,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_column_int64,sqlite3_column_int,sqlite3_column_text,sqlite3_column_bytes,sqlite3_step,sqlite3_finalize,sqlite3_strnicmp,sqlite3_strnicmp,sqlite3_bind_int,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_malloc,sqlite3_bind_null,sqlite3_step,sqlite3_reset,sqlite3_value_int,sqlite3_value_text,sqlite3_value_bytes,sqlite3_free,2_2_6096A5EE
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094B54C sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,memmove,2_2_6094B54C
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60925686 sqlite3_bind_int64,sqlite3_mutex_leave,2_2_60925686
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094A6C5 sqlite3_bind_int64,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_malloc,sqlite3_reset,sqlite3_free,2_2_6094A6C5
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609256E5 sqlite3_bind_int,sqlite3_bind_int64,2_2_609256E5
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094B6ED sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,2_2_6094B6ED
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6092562A sqlite3_bind_blob,2_2_6092562A
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60925655 sqlite3_bind_null,sqlite3_mutex_leave,2_2_60925655
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094C64A sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_free,2_2_6094C64A
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_609687A7 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_column_blob,sqlite3_column_bytes,sqlite3_column_int64,sqlite3_reset,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_bind_int64,sqlite3_bind_int,sqlite3_step,sqlite3_reset,sqlite3_free,sqlite3_free,2_2_609687A7
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6095F7F7 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,2_2_6095F7F7
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6092570B sqlite3_bind_double,sqlite3_mutex_leave,2_2_6092570B
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6095F772 sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095F772
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60925778 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,2_2_60925778
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6090577D sqlite3_bind_parameter_name,2_2_6090577D
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094B764 sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_step,2_2_6094B764
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6090576B sqlite3_bind_parameter_count,2_2_6090576B
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094A894 sqlite3_bind_int64,sqlite3_step,sqlite3_column_int64,sqlite3_reset,2_2_6094A894
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6095F883 sqlite3_bind_int64,sqlite3_bind_int,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095F883
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094C8C2 sqlite3_value_int,sqlite3_value_int,sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_bind_null,sqlite3_bind_null,sqlite3_step,sqlite3_reset,2_2_6094C8C2
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096281E sqlite3_mprintf,sqlite3_vtab_config,sqlite3_malloc,sqlite3_mprintf,sqlite3_mprintf,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_exec,sqlite3_free,sqlite3_prepare_v2,sqlite3_bind_text,sqlite3_step,sqlite3_column_int64,sqlite3_finalize,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_errmsg,sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_free,sqlite3_mprintf,sqlite3_free,sqlite3_declare_vtab,sqlite3_errmsg,sqlite3_mprintf,sqlite3_free,2_2_6096281E
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6096583A memcmp,sqlite3_realloc,qsort,sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_int64,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_step,sqlite3_reset,2_2_6096583A
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6095F9AD sqlite3_bind_int,sqlite3_step,sqlite3_column_type,sqlite3_reset,2_2_6095F9AD
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6094A92B sqlite3_bind_int64,sqlite3_bind_null,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6094A92B
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6090EAE5 sqlite3_transfer_bindings,2_2_6090EAE5
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6095FB98 sqlite3_value_int,sqlite3_bind_int,sqlite3_bind_value,sqlite3_step,sqlite3_reset,2_2_6095FB98
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6095ECA6 sqlite3_mprintf,sqlite3_mprintf,sqlite3_mprintf,sqlite3_prepare_v2,sqlite3_free,sqlite3_bind_value,2_2_6095ECA6
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6095FCCE sqlite3_malloc,sqlite3_free,sqlite3_bind_int64,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,2_2_6095FCCE
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6095FDAE sqlite3_malloc,sqlite3_bind_int,sqlite3_step,sqlite3_column_bytes,sqlite3_column_blob,sqlite3_reset,sqlite3_free,sqlite3_free,sqlite3_bind_int,sqlite3_bind_blob,sqlite3_step,sqlite3_reset,sqlite3_free,2_2_6095FDAE
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60966DF1 sqlite3_value_text,sqlite3_mprintf,sqlite3_free,strcmp,sqlite3_free,sqlite3_malloc,sqlite3_bind_int64,sqlite3_step,sqlite3_column_type,sqlite3_reset,sqlite3_column_blob,sqlite3_reset,sqlite3_malloc,sqlite3_free,sqlite3_reset,sqlite3_result_error_code,sqlite3_result_blob,2_2_60966DF1
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_60969D75 sqlite3_bind_int,sqlite3_step,sqlite3_column_int,sqlite3_reset,2_2_60969D75
                    Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exeCode function: 2_2_6095FFB2 sqlite3_bind_int64,sqlite3_step,sqlite3_reset,sqlite3_result_error_code,2_2_6095FFB2

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                    Native API                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		1
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		5
                    Windows Service                    		1
                    DLL Side-Loading                    		3
                    Obfuscated Files or Information                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol1
                    Input Capture                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		1
                    Bootkit                    		1
                    Access Token Manipulation                    		21
                    Software Packing                    		Security Account Manager2
                    File and Directory Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook5
                    Windows Service                    		1
                    DLL Side-Loading                    		NTDS35
                    System Information Discovery                    		Distributed Component Object ModelInput Capture1
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets151
                    Security Software Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials1
                    Process Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Access Token Manipulation                    		DCSync121
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Process Injection                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Bootkit                    		/etc/passwd and /etc/shadow3
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    No Antivirus matches

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe100%Joe Sandbox ML
                    C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe100%Joe Sandbox ML
                    C:\ProgramData\ClassicHomeCinema\sqlite3.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\gdiplus.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-5CNOU.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-8UHFM.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-I1A51.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-IIV8R.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-TKKA3.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcp71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcr71.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\sqlite3.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\is-EVEJS.tmp3%ReversingLabs
                    C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\unins000.exe (copy)3%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp3%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_setup64.tmp0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_shfoldr.dll0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2119d7368dfalse
                      		unknown
                      https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925cfalse
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.innosetup.com/EQ5Vcf19u8.tmp, EQ5Vcf19u8.tmp, 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-EVEJS.tmp.1.drfalse
                          		high
                          https://188.119.66.185/A$classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e3008888325classichomecinema.exe, 00000002.00000002.2921548247.0000000000944000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://188.119.66.185/ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.remobjects.com/psUEQ5Vcf19u8.exe, 00000000.00000003.1665138634.0000000002310000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1665283513.00000000020C8000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-EVEJS.tmp.1.drfalse
                                  		high
                                  https://188.119.66.185/priseCertificatesclassichomecinema.exe, 00000002.00000002.2921548247.000000000093A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://188.119.66.185/ographyclassichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://188.119.66.185/.$gclassichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://188.119.66.185/z$classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUEQ5Vcf19u8.exefalse
                                            		high
                                            https://188.119.66.185/classichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://188.119.66.185/z;j#classichomecinema.exe, 00000002.00000002.2921548247.000000000093A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://188.119.66.185/en-GBclassichomecinema.exe, 00000002.00000002.2921548247.000000000093A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineEQ5Vcf19u8.exefalse
                                                    		high
                                                    https://188.119.66.185/;$pclassichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.remobjects.com/psEQ5Vcf19u8.exe, 00000000.00000003.1665138634.0000000002310000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1665283513.00000000020C8000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, EQ5Vcf19u8.tmp, 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, EQ5Vcf19u8.tmp.0.dr, is-EVEJS.tmp.1.drfalse
                                                        		high
                                                        https://188.119.66.185/E059080EF4409BC0D96FBCBDDEEE6C0AFBE871ADbTclassichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://www.easycutstudio.com/support.htmlEQ5Vcf19u8.exe, 00000000.00000002.2921525263.00000000020C1000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1664823524.00000000020C1000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.exe, 00000000.00000003.1664751497.0000000002310000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000003.1666845058.0000000003230000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000002.2921911369.0000000002278000.00000004.00001000.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000002.2921584585.0000000000602000.00000004.00000020.00020000.00000000.sdmp, EQ5Vcf19u8.tmp, 00000001.00000003.1666946097.0000000002278000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://188.119.66.185/5$nclassichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://188.119.66.185/6Uclassichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://188.119.66.185/iciesclassichomecinema.exe, 00000002.00000002.2922784801.00000000032FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  31.214.157.206
                                                                  		unknownGermany
                                                                  		58329RACKPLACEDEfalse
                                                                  188.119.66.185
                                                                  		unknownRussian Federation
                                                                  		209499FLYNETRUfalse

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1579844
                                                                  Start date and time:2024-12-23 11:39:09 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 6m 13s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:7
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:EQ5Vcf19u8.exe
                                                                  (renamed file extension from none to exe, renamed because original name is a hash value)
                                                                  Original Sample Name:9fbf70243a3e4aca45a6d0af87749833e506c5a3eacdbc449525bc5f62835ba6
                                                                  Detection:MAL
                                                                  Classification:mal80.troj.evad.winEXE@5/26@0/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 92%
                                                                  • Number of executed functions: 201
                                                                  • Number of non-executed functions: 294

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • VT rate limit hit for: EQ5Vcf19u8.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  05:40:35API Interceptor372141x Sleep call for process: classichomecinema.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  31.214.157.206Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                  • 200
                                                                  188.119.66.185vwZcJ81cpN.exeGet hashmaliciousSocks5SystemzBrowse
                                                                    vwZcJ81cpN.exeGet hashmaliciousSocks5SystemzBrowse
                                                                      r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                        gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                                                          gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            Hbq580QZAR.exeGet hashmaliciousSocks5SystemzBrowse
                                                                              steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                  basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                    list.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                      Domains

                                                                                      No context

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      RACKPLACEDEgjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 31.214.157.206
                                                                                      Hbq580QZAR.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 31.214.157.206
                                                                                      Oz2UhFBTHy.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 31.214.157.226
                                                                                      GEm3o8pION.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 31.214.157.206
                                                                                      bzX2pV3Ybw.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 31.214.157.206
                                                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 31.214.157.206
                                                                                      Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 31.214.157.206
                                                                                      2mtt3zE6Vh.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 31.214.157.206
                                                                                      7i6bUvYZ4L.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 31.214.157.206
                                                                                      file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 31.214.157.206
                                                                                      FLYNETRUvwZcJ81cpN.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      vwZcJ81cpN.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      https://drive.google.com/file/d/1zySfUjQ3GqIVAlBHIX3CXdgIcWIqrMkO/view?usp=sharing_eip&ts=67645d30Get hashmaliciousUnknownBrowse
                                                                                      • 188.119.66.154
                                                                                      https://drive.google.com/file/d/1zySfUjQ3GqIVAlBHIX3CXdgIcWIqrMkO/view?usp=sharing_eil&ts=67645d30Get hashmaliciousUnknownBrowse
                                                                                      • 188.119.66.154
                                                                                      Hbq580QZAR.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185

                                                                                      JA3 Fingerprints

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      51c64c77e60f3980eea90869b68c58a8vwZcJ81cpN.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      vwZcJ81cpN.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      WindowsUpdate.exeGet hashmaliciousUnknownBrowse
                                                                                      • 188.119.66.185
                                                                                      Hbq580QZAR.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185
                                                                                      basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                      • 188.119.66.185

                                                                                      Dropped Files

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      C:\ProgramData\ClassicHomeCinema\sqlite3.dllvwZcJ81cpN.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                        vwZcJ81cpN.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                          r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                            gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                              gjEtERlBSv.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                Hbq580QZAR.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                  steel.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                    stories.exe.2.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                      basx.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                        list.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):2776237
                                                                                                          Entropy (8bit):6.89792615350219
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:49152:eyMXRWKguE94xBxa9412CZNTPpvyin/ciJQQdR:hlBu04v09412CbTxZ/cXg
                                                                                                          MD5:765448A33166E70D7C75392D7E8FC161
                                                                                                          SHA1:6EFD4DCAC1045792CBC34AC0DF7B71DDD887468C
                                                                                                          SHA-256:B10B4798571466E062ED070548787DC205D774041D593197183BD68544420739
                                                                                                          SHA-512:F71113152642359675CDBB0A6FEF08F0922CC978A2909DEBAE0C689145DBFCD2079673E91CDCF32F9B581AF175F08068559D6D284F838D71FE1D3035963B8C96
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          Reputation:low
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....5ig.....................J.......V............@...........................*.......*..............................................`..................................................................................H............................amtt4..:........................... ..`.antt4...4.......6..................@..@.aott4...e.......2..................@....rsrc........`......................@..@.aptt4..............................`.0.........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\ProgramData\ClassicHomeCinema\sqlite3.dll

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):645592
                                                                                                          Entropy (8bit):6.50414583238337
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                                          MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                                          SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                                          SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                                          SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: vwZcJ81cpN.exe, Detection: malicious, Browse
                                                                                                          • Filename: vwZcJ81cpN.exe, Detection: malicious, Browse
                                                                                                          • Filename: r4xiHKy8aM.exe, Detection: malicious, Browse
                                                                                                          • Filename: gjEtERlBSv.exe, Detection: malicious, Browse
                                                                                                          • Filename: gjEtERlBSv.exe, Detection: malicious, Browse
                                                                                                          • Filename: Hbq580QZAR.exe, Detection: malicious, Browse
                                                                                                          • Filename: steel.exe.2.exe, Detection: malicious, Browse
                                                                                                          • Filename: stories.exe.2.exe, Detection: malicious, Browse
                                                                                                          • Filename: basx.exe, Detection: malicious, Browse
                                                                                                          • Filename: list.exe, Detection: malicious, Browse
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                                                                          C:\ProgramData\eu1223it56.dat

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):8
                                                                                                          Entropy (8bit):2.0
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:2hl:2hl
                                                                                                          MD5:C05D3CD3B289661FC7910E1B67BCDE80
                                                                                                          SHA1:B73D45D1B07A0336129DFE67E7153F74C4287F44
                                                                                                          SHA-256:53F1E737C3A5E6713B61766B17E83CC3CE619C25110811DEEE7673821AC0287F
                                                                                                          SHA-512:59207161699F231EE903D891463295E983C569ECDDC48D930B29F758D9B266A05A363528C0C0FB9D9B367438611CA28FA4D3DCFE02676F2CAE38FA742FD87CDE
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview:=>ig....

                                                                                                          C:\ProgramData\eu1223rc56.dat

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4
                                                                                                          Entropy (8bit):0.8112781244591328
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Xln:1
                                                                                                          MD5:ED69DFADEF68FC181AAE2D22715A01D6
                                                                                                          SHA1:3A9981C3761721792B7702231583758AE5ACF8A7
                                                                                                          SHA-256:3EF3BD3D6658C0DFDFDD7AA65E3D92BF1DA9A04678A4ED2A5D84ED824EC91775
                                                                                                          SHA-512:B70AF13C96AC7C3AC97C84F9EFC1F38794B190635AB602CE35C8572B9C3597DD1A4ABBFFCCB3AD8AE76CDB247C221168F2D45B7225A56444FF445937921FC318
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:....

                                                                                                          C:\ProgramData\eu1223resa.dat

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):128
                                                                                                          Entropy (8bit):2.9012093522336393
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:ObXXXd0AbDBdUBWetxt:Or9Lb3UFx
                                                                                                          MD5:679DD163372163CD8FFC24E3C9E758B3
                                                                                                          SHA1:F307C14CA65810C8D0238B89B49B2ACD7C5B233B
                                                                                                          SHA-256:510EA89D00FA427C33BD67AEEA60D21066976F085959C2AFE1F69411A8CA722D
                                                                                                          SHA-512:46C464F15BCE39E28DCD48AF36C424845631D2B48D7E37D7FBBBEE0BC4DF32445A2810E397BF29FCA76C0364B1AA30CC05DCF4D9E799C6C697B49A174560969C
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview:12b48997735ce8b4537cf99be74bb62f518d3799011c89eb7c719048e83fac56................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.chm (copy)

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:MS Windows HtmlHelp Data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):78183
                                                                                                          Entropy (8bit):7.692742945771669
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                                          MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                                          SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                                          SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                                          SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                                          Malicious:false
                                                                                                          Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.dll (copy)

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):176128
                                                                                                          Entropy (8bit):6.204917493416147
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                                          MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                                          SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                                          SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                                          SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:modified
                                                                                                          Size (bytes):2776237
                                                                                                          Entropy (8bit):6.89792615350219
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:49152:eyMXRWKguE94xBxa9412CZNTPpvyin/ciJQQdR:hlBu04v09412CbTxZ/cXg
                                                                                                          MD5:765448A33166E70D7C75392D7E8FC161
                                                                                                          SHA1:6EFD4DCAC1045792CBC34AC0DF7B71DDD887468C
                                                                                                          SHA-256:B10B4798571466E062ED070548787DC205D774041D593197183BD68544420739
                                                                                                          SHA-512:F71113152642359675CDBB0A6FEF08F0922CC978A2909DEBAE0C689145DBFCD2079673E91CDCF32F9B581AF175F08068559D6D284F838D71FE1D3035963B8C96
                                                                                                          Malicious:true
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe, Author: Joe Security
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....5ig.....................J.......V............@...........................*.......*..............................................`..................................................................................H............................amtt4..:........................... ..`.antt4...4.......6..................@..@.aott4...e.......2..................@....rsrc........`......................@..@.aptt4..............................`.0.........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\gdiplus.dll (copy)

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1645320
                                                                                                          Entropy (8bit):6.787752063353702
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                                          MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                                          SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                                          SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                                          SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-5CNOU.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):645592
                                                                                                          Entropy (8bit):6.50414583238337
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                                          MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                                          SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                                          SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                                          SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-8UHFM.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1645320
                                                                                                          Entropy (8bit):6.787752063353702
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24576:Fk18V2mHkfIE3Ip9vkWEgDecZV3W9kpOuRw8RhWd5Ixwzr6lOboU7j97S9D+z98v:FZNkf+uW3D1ZVG9kVw8I5Rv6lwH9+X
                                                                                                          MD5:871C903A90C45CA08A9D42803916C3F7
                                                                                                          SHA1:D962A12BC15BFB4C505BB63F603CA211588958DB
                                                                                                          SHA-256:F1DA32183B3DA19F75FA4EF0974A64895266B16D119BBB1DA9FE63867DBA0645
                                                                                                          SHA-512:985B0B8B5E3D96ACFD0514676D9F0C5D2D8F11E31F01ACFA0F7DA9AF3568E12343CA77F541F55EDDA6A0E5C14FE733BDA5DC1C10BB170D40D15B7A60AD000145
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s...7o..7o..7o...L..<o..7o..en...L..$o...L...o...L..6o...L..6o...L..(n...L..6o..Rich7o..................PE..L.....D@...........!.........`.......Q.......`.....p................................................................l...CN..|...x....p...........................s.....8...............................................0............................text...n........................... ..`.data...X...........................@...Shared.......`.......P..............@....rsrc........p... ...`..............@..@.reloc...s..........................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-ECB74.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):2776237
                                                                                                          Entropy (8bit):6.897925946158875
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:49152:xyMXRWKguE94xBxa9412CZNTPpvyin/ciJQQdR:4lBu04v09412CbTxZ/cXg
                                                                                                          MD5:14488CA0E9ECB480700491BA236B41D3
                                                                                                          SHA1:CAA9554DF651D5CB054CC4CB19505620A217DBD9
                                                                                                          SHA-256:277FB3E35678D323C87099C7625A4695E8BD558493430C1751F6E826EAE7B908
                                                                                                          SHA-512:0049D19A2CD38E05AAE9E2F74D98494F3431D3155F0BABA388480F7EE8D26452057FCFD778C0EAAF37109FD0BA98FF95DB2817640B5A357D83A95D32409B0E5C
                                                                                                          Malicious:false
                                                                                                          Yara Hits:
                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-ECB74.tmp, Author: Joe Security
                                                                                                          Preview:.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................PE..L....5ig.....................J.......V............@...........................*.......*..............................................`..................................................................................H............................amtt4..:........................... ..`.antt4...4.......6..................@..@.aott4...e.......2..................@....rsrc........`......................@..@.aptt4..............................`.0.........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-I1A51.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):499712
                                                                                                          Entropy (8bit):6.414789978441117
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                                          MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                                          SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                                          SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                                          SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-IIV8R.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):176128
                                                                                                          Entropy (8bit):6.204917493416147
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3072:l9iEoC1+7N9UQV2Mi8NTUU3/EO3h3E9y6GeoPRtsoWhi75MUbvSHQ:l+ssU62Mi8x9P/UVGeQRthMUbvS
                                                                                                          MD5:FEC4FF0C2967A05543747E8D552CF9DF
                                                                                                          SHA1:B4449DC0DF8C0AFCC9F32776384A6F5B5CEDE20C
                                                                                                          SHA-256:5374148EBCF4B456F8711516A58C9A007A393CA88F3D9759041F691E4343C7D6
                                                                                                          SHA-512:93E3F48CD393314178CBC86F6142D577D5EAAE52B47C4D947DBA4DFB706860B150FF5B0E546CB83114CA44666E9DF6021964D79D064B775A58698DAA9550EF13
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+0.J^..J^..J^.cE...J^..VR..J^..UU..J^.#VP..J^..UT..J^..UZ..J^..kU..J^..kZ..J^..J_..J^..iT..J^..io..J^.gLX..J^._jZ..J^.Rich.J^.................PE..L.....L...........!.....0...@.......'.......@...................................................................... e..k....X..d....`.......................p..p....................................................@...............................text....".......0.................. ..`.rdata...%...@...0...@..............@..@.data...T....p... ...p..............@....rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-Q9S4J.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:MS Windows HtmlHelp Data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):78183
                                                                                                          Entropy (8bit):7.692742945771669
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:1536:Bkt2SjEQ3r94YqwyadpL1X6Dtn4afF1VowWb8ZmmUQNk3gNqCLbMsFxJse8hbpmn:mR/CYj9dp5XIyI2b/mY3gNjLbMsOaP
                                                                                                          MD5:B1B9E6D43319F6D4E52ED858C5726A97
                                                                                                          SHA1:5033047A30CCCF57783C600FD76A6D220021B19D
                                                                                                          SHA-256:8003A4A0F9F5DFB62BEFBF81F8C05894B0C1F987ACFC8654A6C6CE02B6213910
                                                                                                          SHA-512:E56D6EC9170DEBAC28BB514942F794F73D4C194D04C54EFF9227B6EE3C74BA4FCF239FFF0BB6556DC8B847FA89D382AF206A2C481C41A3510936B0A74192D2C2
                                                                                                          Malicious:false
                                                                                                          Preview:ITSF....`..........E.......|.{.......".....|.{......."..`...............x.......T.......................g1..............ITSP....T...........................................j..].!......."..T...............PMGLW................/..../#IDXHDR...F.../#ITBITS..../#IVB...N$./#STRINGS.....P./#SYSTEM..N.'./#TOPICS...F.0./#URLSTR...:.t./#URLTBL...v.D./$FIftiMain......1./$OBJINST...z.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...v../$WWKeywordLinks/..../$WWKeywordLinks/Property...r../After.jpg...4..../Auto-.hhc...^./Auto-Adjustment.htm....?./Auto-BleachTeeth.htm...z.3./Auto-Crop2Plus.htm..U.j./Auto-Emphasis.htm...w.V./Auto-EyeColor.htm...!.../Auto-EyePencil.htm..._.../Auto-EyeShadow.htm...,.3./Auto-GettingStarted.htm....Q./Auto-Lipstick.htm..R.M./Auto-Liquify.htm...-.v./Auto-Menu.htm..S.r./Auto-OrderingInformation.htm...Q.../Auto-Overview.htm..^.$./Auto-Powder.htm......./Auto-Resize.htm..s.b./Auto-Rotation.htm..?.e./Auto-Rouge.htm...=.d./Auto-SkinCare.htm...|.{./Auto-SmartPatchCosmet

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\is-TKKA3.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):348160
                                                                                                          Entropy (8bit):6.542655141037356
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                                          MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                                          SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                                          SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                                          SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcp71.dll (copy)

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):499712
                                                                                                          Entropy (8bit):6.414789978441117
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:fJzxYPVsBnxO/R7krZhUgiW6QR7t5k3Ooc8iHkC2eq:fZxvBnxOJ7ki3Ooc8iHkC2e
                                                                                                          MD5:561FA2ABB31DFA8FAB762145F81667C2
                                                                                                          SHA1:C8CCB04EEDAC821A13FAE314A2435192860C72B8
                                                                                                          SHA-256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
                                                                                                          SHA-512:7D960AA8E3CCE22D63A6723D7F00C195DE7DE83B877ECA126E339E2D8CC9859E813E05C5C0A5671A75BB717243E9295FD13E5E17D8C6660EB59F5BAEE63A7C43
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................................Rich...................PE..L.....w>...........!.................-............:|................................~e..............................$...?...d!..<....`.......................p...0..8...8...............................H............................................text............................... ..`.rdata..2*.......0..................@..@.data...h!...0... ...0..............@....rsrc........`.......P..............@..@.reloc...0...p...@...`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\msvcr71.dll (copy)

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):348160
                                                                                                          Entropy (8bit):6.542655141037356
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:OcV9z83OtqxnEYmt3NEnvfF+Tbmbw6An8FMciFMNrb3YgxxpbCAOxO2ElvlE:Ooz83OtIEzW+/m/AyF7bCrO/E
                                                                                                          MD5:86F1895AE8C5E8B17D99ECE768A70732
                                                                                                          SHA1:D5502A1D00787D68F548DDEEBBDE1ECA5E2B38CA
                                                                                                          SHA-256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE
                                                                                                          SHA-512:3B7CE2B67056B6E005472B73447D2226677A8CADAE70428873F7EFA5ED11A3B3DBF6B1A42C5B05B1F2B1D8E06FF50DFC6532F043AF8452ED87687EEFBF1791DA
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2..S..S..S..Tp..S..S..5S..BX..S..BX...S..BX..Q..BX..S..BX..S..BX..S..Rich.S..........................PE..L.....V>...........!................."............4|.........................`......................................t....C......(.... .......................0..d+..H...8...........................x...H...............l............................text............................... ..`.rdata..@...........................@..@.data... h.......`..................@....rsrc........ ......................@..@.reloc..d+...0...0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\sqlite3.dll (copy)

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):645592
                                                                                                          Entropy (8bit):6.50414583238337
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                                                                                                          MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                                                                                                          SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                                                                                                          SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                                                                                                          SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\is-EVEJS.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):717985
                                                                                                          Entropy (8bit):6.514903669143629
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:+TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+pIq5MRxyFj:+PcYn5c/rPx37/zHBA6pFptZ1CEoqMRG
                                                                                                          MD5:A170DF3B154D2DE2AAAE594B2421E4C7
                                                                                                          SHA1:5302C579870D83176682BB41A9D516D7224CA8A6
                                                                                                          SHA-256:3484726C89963BBAE4821B645FD582622524F189E10FDC7AF92094D627011D44
                                                                                                          SHA-512:1705A73535EE3D73288C29E7C444C9F9106CD1812765800E79ABC5B55DAB68279244DD5502986D45B42E89DAE26D45256F3F6C14CD014E5E1D9C84F767725645
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\unins000.dat

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:InnoSetup Log Classic Home Cinema, version 0x30, 4757 bytes, 855271\user, "C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12"
                                                                                                          Category:dropped
                                                                                                          Size (bytes):4757
                                                                                                          Entropy (8bit):4.730392533026202
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:96:TFekdWr38cpA4cBd9S+eOIhyAa7ICSss/Ln3vX/uwuau8HrubHkq7t:5fdWr33pA42HIh6ICSsAnXRTfK
                                                                                                          MD5:E0D613585349B13998CAC96E76C0A560
                                                                                                          SHA1:42C4DD615D7985BFC29413AF6CB39FF47BE610DE
                                                                                                          SHA-256:630F3352651C17A65172ADC2195F1050DE14E904E513C5E7DF37CE7ABC0A03B3
                                                                                                          SHA-512:E274E14330A74695B6FB74D4BDEA44F4E554946C4DA507FFFF543F707DFBCE29D6108CE3ED1F6A9A0B43E3F665E39255C5DF62DFFB97FA15DBBC702D942B511B
                                                                                                          Malicious:false
                                                                                                          Preview:Inno Setup Uninstall Log (b)....................................Classic Home Cinema.............................................................................................................Classic Home Cinema.............................................................................................................0...........%...........................................................................................................................;.......W....855271.user7C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12...........(...!.. ............IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll

                                                                                                          C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\uninstall\unins000.exe (copy)

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):717985
                                                                                                          Entropy (8bit):6.514903669143629
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:+TPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+pIq5MRxyFj:+PcYn5c/rPx37/zHBA6pFptZ1CEoqMRG
                                                                                                          MD5:A170DF3B154D2DE2AAAE594B2421E4C7
                                                                                                          SHA1:5302C579870D83176682BB41A9D516D7224CA8A6
                                                                                                          SHA-256:3484726C89963BBAE4821B645FD582622524F189E10FDC7AF92094D627011D44
                                                                                                          SHA-512:1705A73535EE3D73288C29E7C444C9F9106CD1812765800E79ABC5B55DAB68279244DD5502986D45B42E89DAE26D45256F3F6C14CD014E5E1D9C84F767725645
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\Desktop\EQ5Vcf19u8.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):706560
                                                                                                          Entropy (8bit):6.506375340710484
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:GTPcYn5c/rPx37/zHBA6a5UeYpthr1CERAgrNuR+pIq5MRxyF:WPcYn5c/rPx37/zHBA6pFptZ1CEoqMRU
                                                                                                          MD5:BCF2F0322A00DC0DE9B0CAE39438B480
                                                                                                          SHA1:81D7CB7F7F83A6CADAABC4D407C94B9C01C6BF7B
                                                                                                          SHA-256:D450B34EFA2D2E162CD0C79C8B6BE88D035B84F0E25EC28C52B2A2068DA3C701
                                                                                                          SHA-512:B0CD6513B174AED0049206F490A9D15F9C7814C79960041EC2BA8A9EA6C171D6138F33BD544E917FB38E653731D57D57058DCC2C29D22D18198299F901E3DF7F
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 3%
                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................~........................@..............................................@...............................%..................................................................................................................CODE.....}.......~.................. ..`DATA................................@...BSS......................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................T..............@..P........................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_iscrypt.dll

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):2560
                                                                                                          Entropy (8bit):2.8818118453929262
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                          MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                          SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                          SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                          SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_setup64.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):6144
                                                                                                          Entropy (8bit):4.289297026665552
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:Sv1LfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2pGSS4k+bkg6j0KHc:wfkcXegaJ/ZAYNzcld1xaX12pfSKvkc
                                                                                                          MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89
                                                                                                          SHA1:D0EACD5322C036554D509C7566F0BCC7607209BD
                                                                                                          SHA-256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40
                                                                                                          SHA-512:2735BB610060F749E26ACD86F2DF2B8A05F2BDD3DCCF3E4B2946EBB21BA0805FB492C474B1EEB2C5B8BF1A421F7C1B8728245F649C644F4A9ECC5BD8770A16F6
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....HP..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Local\Temp\is-T3CKS.tmp\_isetup\_shfoldr.dll

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):23312
                                                                                                          Entropy (8bit):4.596242908851566
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                          MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                          SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                          SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                          SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                          Entropy (8bit):7.997628924855278
                                                                                                          TrID:
                                                                                                          • Win32 Executable (generic) a (10002005/4) 98.32%
                                                                                                          • Inno Setup installer (109748/4) 1.08%
                                                                                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                          • Windows Screen Saver (13104/52) 0.13%
                                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                          File name:EQ5Vcf19u8.exe
                                                                                                          File size:3'335'813 bytes
                                                                                                          MD5:849f1e782aef6fc885225f115db43236
                                                                                                          SHA1:2e790be949272e97d9fd71b7a6ea34140f08fb16
                                                                                                          SHA256:9fbf70243a3e4aca45a6d0af87749833e506c5a3eacdbc449525bc5f62835ba6
                                                                                                          SHA512:5424569f06069f8051516acb203f3e4eb889c0417b0a2552ea9aa992c4467e684f6b09ad78812b1a76de6f6a8722cad5427cef4a860799ac449b6a62d8c82b87
                                                                                                          SSDEEP:98304:M4TCwmZJtRTroyMXl2ZT3nt+kRDVBAGhYhbuXBQTu2:Mrria3t+sD8GhObuxz2
                                                                                                          TLSH:A2F533D7A2A9D27DD4F7A0F0852F971E9633392A1E755038268D2ACE8FF3619484C7C4
                                                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                          File Icon

                                                                                                          Icon Hash:2d2e3797b32b2b99

                                                                                                          Static PE Info

                                                                                                          General

                                                                                                          Entrypoint:0x40a5f8
                                                                                                          Entrypoint Section:CODE
                                                                                                          Digitally signed:false
                                                                                                          Imagebase:0x400000
                                                                                                          Subsystem:windows gui
                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                          Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                                                                                          TLS Callbacks:
                                                                                                          CLR (.Net) Version:
                                                                                                          OS Version Major:1
                                                                                                          OS Version Minor:0
                                                                                                          File Version Major:1
                                                                                                          File Version Minor:0
                                                                                                          Subsystem Version Major:1
                                                                                                          Subsystem Version Minor:0
                                                                                                          Import Hash:884310b1928934402ea6fec1dbd3cf5e

                                                                                                          Entrypoint Preview

                                                                                                          Instruction
                                                                                                          push ebp
                                                                                                          mov ebp, esp
                                                                                                          add esp, FFFFFFC4h
                                                                                                          push ebx
                                                                                                          push esi
                                                                                                          push edi
                                                                                                          xor eax, eax
                                                                                                          mov dword ptr [ebp-10h], eax
                                                                                                          mov dword ptr [ebp-24h], eax
                                                                                                          call 00007FFB487C8453h
                                                                                                          call 00007FFB487C965Ah
                                                                                                          call 00007FFB487C98E9h
                                                                                                          call 00007FFB487C998Ch
                                                                                                          call 00007FFB487CB92Bh
                                                                                                          call 00007FFB487CE296h
                                                                                                          call 00007FFB487CE3FDh
                                                                                                          xor eax, eax
                                                                                                          push ebp
                                                                                                          push 0040ACC9h
                                                                                                          push dword ptr fs:[eax]
                                                                                                          mov dword ptr fs:[eax], esp
                                                                                                          xor edx, edx
                                                                                                          push ebp
                                                                                                          push 0040AC92h
                                                                                                          push dword ptr fs:[edx]
                                                                                                          mov dword ptr fs:[edx], esp
                                                                                                          mov eax, dword ptr [0040C014h]
                                                                                                          call 00007FFB487CEEABh
                                                                                                          call 00007FFB487CEA96h
                                                                                                          cmp byte ptr [0040B234h], 00000000h
                                                                                                          je 00007FFB487CF98Eh
                                                                                                          call 00007FFB487CEFA8h
                                                                                                          xor eax, eax
                                                                                                          call 00007FFB487C9149h
                                                                                                          lea edx, dword ptr [ebp-10h]
                                                                                                          xor eax, eax
                                                                                                          call 00007FFB487CBF3Bh
                                                                                                          mov edx, dword ptr [ebp-10h]
                                                                                                          mov eax, 0040CE28h
                                                                                                          call 00007FFB487C84EAh
                                                                                                          push 00000002h
                                                                                                          push 00000000h
                                                                                                          push 00000001h
                                                                                                          mov ecx, dword ptr [0040CE28h]
                                                                                                          mov dl, 01h
                                                                                                          mov eax, 0040738Ch
                                                                                                          call 00007FFB487CC7CAh
                                                                                                          mov dword ptr [0040CE2Ch], eax
                                                                                                          xor edx, edx
                                                                                                          push ebp
                                                                                                          push 0040AC4Ah
                                                                                                          push dword ptr fs:[edx]
                                                                                                          mov dword ptr fs:[edx], esp
                                                                                                          call 00007FFB487CEF06h
                                                                                                          mov dword ptr [0040CE34h], eax
                                                                                                          mov eax, dword ptr [0040CE34h]
                                                                                                          cmp dword ptr [eax+0Ch], 00000000h

                                                                                                          Data Directories

                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xd0000x950.idata
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x110000x2c00.rsrc
                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xf0000x18.rdata
                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                          Sections

                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                          CODE0x10000x9d300x9e00c3bd95c4b1a8e5199981e0d9b45fd18cFalse0.6052709651898734data6.631765876950794IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                          DATA0xb0000x2500x4001ee71d84f1c77af85f1f5c278f880572False0.306640625data2.751820662285145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          BSS0xc0000xe8c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .idata0xd0000x9500xa00bb5485bf968b970e5ea81292af2acdbaFalse0.414453125data4.430733069799036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .tls0xe0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                          .rdata0xf0000x180x2009ba824905bf9c7922b6fc87a38b74366False0.052734375data0.2044881574398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                          .reloc0x100000x8c40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                                                                                          .rsrc0x110000x2c000x2c0083e09258de55f10b9aaa4a81ee5fc40aFalse0.3259055397727273data4.495073399157993IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                                                                                          Resources

                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                          RT_ICON0x113540x128Device independent bitmap graphic, 16 x 32 x 4, image size 192DutchNetherlands0.5675675675675675
                                                                                                          RT_ICON0x1147c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 320DutchNetherlands0.4486994219653179
                                                                                                          RT_ICON0x119e40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640DutchNetherlands0.4637096774193548
                                                                                                          RT_ICON0x11ccc0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1152DutchNetherlands0.3935018050541516
                                                                                                          RT_STRING0x125740x2f2data0.35543766578249336
                                                                                                          RT_STRING0x128680x30cdata0.3871794871794872
                                                                                                          RT_STRING0x12b740x2cedata0.42618384401114207
                                                                                                          RT_STRING0x12e440x68data0.75
                                                                                                          RT_STRING0x12eac0xb4data0.6277777777777778
                                                                                                          RT_STRING0x12f600xaedata0.5344827586206896
                                                                                                          RT_RCDATA0x130100x2cdata1.1818181818181819
                                                                                                          RT_GROUP_ICON0x1303c0x3edataEnglishUnited States0.8387096774193549
                                                                                                          RT_VERSION0x1307c0x4f4dataEnglishUnited States0.2634069400630915
                                                                                                          RT_MANIFEST0x135700x5a4XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.42590027700831024

                                                                                                          Imports

                                                                                                          DLLImport
                                                                                                          kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
                                                                                                          user32.dllMessageBoxA
                                                                                                          oleaut32.dllVariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
                                                                                                          advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
                                                                                                          kernel32.dllWriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
                                                                                                          user32.dllTranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
                                                                                                          comctl32.dllInitCommonControls
                                                                                                          advapi32.dllAdjustTokenPrivileges

                                                                                                          Possible Origin

                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                          DutchNetherlands
                                                                                                          EnglishUnited States

                                                                                                          Network Behavior

                                                                                                          Suricata IDS Alerts

                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                          2024-12-23T11:40:55.945834+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449736188.119.66.185443TCP
                                                                                                          2024-12-23T11:40:56.621365+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449736188.119.66.185443TCP
                                                                                                          2024-12-23T11:40:58.200438+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449737188.119.66.185443TCP
                                                                                                          2024-12-23T11:40:58.893654+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449737188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:03.725747+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449746188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:04.444986+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449746188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:06.213178+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449752188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:06.895357+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449752188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:08.777176+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449759188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:09.464307+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449759188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:11.042483+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449765188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:11.723184+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449765188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:13.475292+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449771188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:14.155716+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449771188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:15.727046+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449777188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:16.412756+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449777188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:17.992801+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449783188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:18.675906+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449783188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:20.447585+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449789188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:21.172790+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449789188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:22.849718+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449800188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:23.533961+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449800188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:25.121094+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449806188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:25.859838+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449806188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:27.493734+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449811188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:28.320207+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449811188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:30.106748+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449817188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:30.810361+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449817188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:32.381326+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449823188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:33.127201+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449823188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:34.807359+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449829188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:35.490294+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449829188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:37.055328+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449835188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:37.736302+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449835188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:39.562425+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449841188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:40.243679+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449841188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:41.875564+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449847188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:42.558506+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449847188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:44.250375+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449853188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:44.941050+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449853188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:46.507483+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449858188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:47.187955+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449858188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:48.757872+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449864188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:49.440777+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449864188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:51.200303+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449870188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:51.885331+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449870188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:53.590553+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449881188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:54.361600+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449881188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:56.095549+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449887188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:56.780016+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449887188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:58.350485+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449893188.119.66.185443TCP
                                                                                                          2024-12-23T11:41:59.033747+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449893188.119.66.185443TCP
                                                                                                          2024-12-23T11:42:00.749705+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449899188.119.66.185443TCP
                                                                                                          2024-12-23T11:42:01.508704+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449899188.119.66.185443TCP
                                                                                                          2024-12-23T11:42:03.097260+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449905188.119.66.185443TCP
                                                                                                          2024-12-23T11:42:03.778164+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449905188.119.66.185443TCP
                                                                                                          2024-12-23T11:42:05.481336+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449911188.119.66.185443TCP
                                                                                                          2024-12-23T11:42:06.180567+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449911188.119.66.185443TCP

                                                                                                          Network Port Distribution

                                                                                                          TCP Packets

                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                          Dec 23, 2024 11:40:54.460421085 CET49736443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:54.460481882 CET44349736188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:54.460561991 CET49736443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:54.478347063 CET49736443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:54.478364944 CET44349736188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:55.945733070 CET44349736188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:55.945833921 CET49736443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:55.998087883 CET49736443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:55.998105049 CET44349736188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:55.999047041 CET44349736188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:55.999110937 CET49736443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:56.003036976 CET49736443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:56.047326088 CET44349736188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:56.621419907 CET44349736188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:56.621575117 CET44349736188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:56.621655941 CET49736443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:56.621680975 CET49736443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:56.623322964 CET49736443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:56.623341084 CET44349736188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:56.737600088 CET49737443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:56.737680912 CET44349737188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:56.737770081 CET49737443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:56.738033056 CET49737443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:56.738060951 CET44349737188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:58.200351954 CET44349737188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:58.200438023 CET49737443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:58.200898886 CET49737443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:58.200928926 CET44349737188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:58.201173067 CET49737443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:58.201186895 CET44349737188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:58.893714905 CET44349737188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:58.893786907 CET49737443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:58.893799067 CET44349737188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:58.894045115 CET49737443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:58.894093990 CET49737443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:40:58.894133091 CET44349737188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:40:58.895122051 CET497392024192.168.2.431.214.157.206
                                                                                                          Dec 23, 2024 11:40:59.014645100 CET20244973931.214.157.206192.168.2.4
                                                                                                          Dec 23, 2024 11:40:59.014758110 CET497392024192.168.2.431.214.157.206
                                                                                                          Dec 23, 2024 11:40:59.014820099 CET497392024192.168.2.431.214.157.206
                                                                                                          Dec 23, 2024 11:40:59.135116100 CET20244973931.214.157.206192.168.2.4
                                                                                                          Dec 23, 2024 11:40:59.135189056 CET497392024192.168.2.431.214.157.206
                                                                                                          Dec 23, 2024 11:40:59.254760027 CET20244973931.214.157.206192.168.2.4
                                                                                                          Dec 23, 2024 11:41:00.257343054 CET20244973931.214.157.206192.168.2.4
                                                                                                          Dec 23, 2024 11:41:00.298650026 CET497392024192.168.2.431.214.157.206
                                                                                                          Dec 23, 2024 11:41:02.268788099 CET49746443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:02.268877029 CET44349746188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:02.268959999 CET49746443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:02.269233942 CET49746443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:02.269268036 CET44349746188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:03.725670099 CET44349746188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:03.725747108 CET49746443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:03.726275921 CET49746443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:03.726293087 CET44349746188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:03.726454973 CET49746443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:03.726465940 CET44349746188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:04.445061922 CET44349746188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:04.445154905 CET49746443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:04.445219994 CET44349746188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:04.445259094 CET44349746188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:04.445272923 CET49746443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:04.445306063 CET49746443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:04.445338964 CET49746443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:04.445367098 CET44349746188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:04.565529108 CET49752443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:04.565627098 CET44349752188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:04.565721035 CET49752443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:04.565968990 CET49752443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:04.566004038 CET44349752188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:06.212939024 CET44349752188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:06.213177919 CET49752443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:06.213466883 CET49752443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:06.213488102 CET44349752188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:06.213712931 CET49752443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:06.213725090 CET44349752188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:06.895397902 CET44349752188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:06.895482063 CET49752443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:06.895543098 CET44349752188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:06.895581007 CET44349752188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:06.895610094 CET49752443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:06.895646095 CET49752443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:06.895746946 CET49752443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:06.895776033 CET44349752188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:06.896790981 CET497582024192.168.2.431.214.157.206
                                                                                                          Dec 23, 2024 11:41:07.016262054 CET20244975831.214.157.206192.168.2.4
                                                                                                          Dec 23, 2024 11:41:07.016350985 CET497582024192.168.2.431.214.157.206
                                                                                                          Dec 23, 2024 11:41:07.016537905 CET497582024192.168.2.431.214.157.206
                                                                                                          Dec 23, 2024 11:41:07.016602993 CET497582024192.168.2.431.214.157.206
                                                                                                          Dec 23, 2024 11:41:07.128779888 CET49759443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:07.128815889 CET44349759188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:07.128881931 CET49759443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:07.129141092 CET49759443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:07.129156113 CET44349759188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:07.136133909 CET20244975831.214.157.206192.168.2.4
                                                                                                          Dec 23, 2024 11:41:07.177047968 CET20244975831.214.157.206192.168.2.4
                                                                                                          Dec 23, 2024 11:41:07.985752106 CET20244975831.214.157.206192.168.2.4
                                                                                                          Dec 23, 2024 11:41:07.985807896 CET497582024192.168.2.431.214.157.206
                                                                                                          Dec 23, 2024 11:41:08.777089119 CET44349759188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:08.777175903 CET49759443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:08.777707100 CET49759443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:08.777714014 CET44349759188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:08.777934074 CET49759443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:08.777939081 CET44349759188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:09.464379072 CET44349759188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:09.464478016 CET49759443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:09.464493036 CET44349759188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:09.464557886 CET49759443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:09.464566946 CET44349759188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:09.464626074 CET49759443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:09.464788914 CET49759443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:09.464801073 CET44349759188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:09.581598997 CET49765443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:09.581686974 CET44349765188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:09.581796885 CET49765443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:09.582079887 CET49765443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:09.582118034 CET44349765188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:11.042370081 CET44349765188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:11.042483091 CET49765443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:11.042972088 CET49765443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:11.043001890 CET44349765188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:11.043155909 CET49765443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:11.043169975 CET44349765188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:11.723246098 CET44349765188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:11.723387957 CET49765443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:11.723453045 CET44349765188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:11.723491907 CET44349765188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:11.723539114 CET49765443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:11.723573923 CET49765443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:11.723613024 CET49765443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:11.723659039 CET44349765188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:11.831218004 CET49771443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:11.831259966 CET44349771188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:11.831363916 CET49771443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:11.831664085 CET49771443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:11.831677914 CET44349771188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:13.475215912 CET44349771188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:13.475291967 CET49771443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:13.475815058 CET49771443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:13.475824118 CET44349771188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:13.476003885 CET49771443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:13.476007938 CET44349771188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:14.155791044 CET44349771188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:14.155951023 CET44349771188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:14.156033039 CET49771443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:14.156218052 CET49771443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:14.156233072 CET44349771188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:14.268654108 CET49777443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:14.268718004 CET44349777188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:14.268826962 CET49777443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:14.269010067 CET49777443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:14.269059896 CET44349777188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:15.726963043 CET44349777188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:15.727046013 CET49777443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:15.727638960 CET49777443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:15.727668047 CET44349777188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:15.727865934 CET49777443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:15.727878094 CET44349777188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:16.412863016 CET44349777188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:16.412964106 CET49777443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:16.412986040 CET44349777188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:16.413022041 CET44349777188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:16.413052082 CET49777443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:16.413099051 CET49777443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:16.415560961 CET49777443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:16.415592909 CET44349777188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:16.534475088 CET49783443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:16.534542084 CET44349783188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:16.534617901 CET49783443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:16.534883022 CET49783443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:16.534912109 CET44349783188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:17.992717981 CET44349783188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:17.992800951 CET49783443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:17.999530077 CET49783443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:17.999557972 CET44349783188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:17.999757051 CET49783443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:17.999769926 CET44349783188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:18.675966978 CET44349783188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:18.676035881 CET49783443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:18.676069975 CET44349783188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:18.676120996 CET49783443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:18.676140070 CET44349783188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:18.676197052 CET49783443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:18.676381111 CET49783443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:18.676403999 CET44349783188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:18.784492016 CET49789443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:18.784555912 CET44349789188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:18.784636974 CET49789443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:18.784853935 CET49789443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:18.784884930 CET44349789188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:20.447470903 CET44349789188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:20.447585106 CET49789443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:20.448261023 CET49789443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:20.448283911 CET44349789188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:20.448437929 CET49789443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:20.448451042 CET44349789188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:21.172894001 CET44349789188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:21.172998905 CET49789443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:21.173053980 CET44349789188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:21.173089981 CET44349789188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:21.173119068 CET49789443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:21.173155069 CET49789443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:21.181092024 CET49789443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:21.181127071 CET44349789188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:21.347393036 CET49800443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:21.347423077 CET44349800188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:21.347467899 CET49800443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:21.347841024 CET49800443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:21.347855091 CET44349800188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:22.848556042 CET44349800188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:22.849718094 CET49800443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:22.850270987 CET49800443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:22.850281000 CET44349800188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:22.850542068 CET49800443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:22.850547075 CET44349800188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:23.534023046 CET44349800188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:23.534090042 CET49800443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:23.534099102 CET44349800188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:23.534157991 CET49800443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:23.534168959 CET44349800188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:23.534229040 CET49800443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:23.534955978 CET49800443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:23.534970045 CET44349800188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:23.664782047 CET49806443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:23.664800882 CET44349806188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:23.664989948 CET49806443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:23.665292978 CET49806443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:23.665307045 CET44349806188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:25.121025085 CET44349806188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:25.121093988 CET49806443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:25.121612072 CET49806443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:25.121624947 CET44349806188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:25.121783972 CET49806443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:25.121789932 CET44349806188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:25.859937906 CET44349806188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:25.860131025 CET44349806188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:25.860330105 CET49806443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:25.860479116 CET49806443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:25.860496044 CET44349806188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:25.971997023 CET49811443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:25.972033978 CET44349811188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:25.972131014 CET49811443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:25.972342014 CET49811443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:25.972362041 CET44349811188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:27.493644953 CET44349811188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:27.493733883 CET49811443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:27.494169950 CET49811443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:27.494175911 CET44349811188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:27.494352102 CET49811443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:27.494357109 CET44349811188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:28.320308924 CET44349811188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:28.320384979 CET49811443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:28.320404053 CET44349811188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:28.320450068 CET49811443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:28.320477009 CET44349811188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:28.320530891 CET49811443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:28.320652008 CET49811443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:28.320667028 CET44349811188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:28.440495968 CET49817443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:28.440541983 CET44349817188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:28.440632105 CET49817443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:28.440956116 CET49817443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:28.440973997 CET44349817188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:30.106659889 CET44349817188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:30.106748104 CET49817443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:30.123800039 CET49817443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:30.123812914 CET44349817188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:30.124346018 CET49817443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:30.124351978 CET44349817188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:30.810427904 CET44349817188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:30.810587883 CET44349817188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:30.810631037 CET49817443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:30.810664892 CET49817443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:30.810796976 CET49817443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:30.810838938 CET44349817188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:30.924877882 CET49823443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:30.924947023 CET44349823188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:30.925054073 CET49823443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:30.925263882 CET49823443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:30.925297022 CET44349823188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:32.381138086 CET44349823188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:32.381325960 CET49823443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:32.381732941 CET49823443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:32.381752968 CET44349823188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:32.381890059 CET49823443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:32.381901026 CET44349823188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:33.127274990 CET44349823188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:33.127379894 CET49823443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:33.127439976 CET44349823188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:33.127489090 CET44349823188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:33.127521038 CET49823443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:33.127548933 CET49823443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:33.202836990 CET49823443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:33.202882051 CET44349823188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:33.346837044 CET49829443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:33.346868038 CET44349829188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:33.346950054 CET49829443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:33.347173929 CET49829443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:33.347186089 CET44349829188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:34.806531906 CET44349829188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:34.807358980 CET49829443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:34.807763100 CET49829443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:34.807768106 CET44349829188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:34.807957888 CET49829443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:34.807961941 CET44349829188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:35.490338087 CET44349829188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:35.490514994 CET44349829188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:35.490582943 CET49829443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:35.490797997 CET49829443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:35.490807056 CET44349829188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:35.596586943 CET49835443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:35.596630096 CET44349835188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:35.596724033 CET49835443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:35.596915960 CET49835443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:35.596935987 CET44349835188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:37.055233955 CET44349835188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:37.055327892 CET49835443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:37.055874109 CET49835443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:37.055880070 CET44349835188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:37.057734966 CET49835443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:37.057740927 CET44349835188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:37.736392021 CET44349835188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:37.736479044 CET49835443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:37.736495018 CET44349835188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:37.736537933 CET49835443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:37.736546040 CET44349835188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:37.736592054 CET49835443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:37.742856026 CET49835443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:37.742876053 CET44349835188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:37.915877104 CET49841443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:37.915925026 CET44349841188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:37.916002035 CET49841443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:37.916363001 CET49841443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:37.916394949 CET44349841188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:39.562323093 CET44349841188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:39.562424898 CET49841443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:39.563112020 CET49841443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:39.563127041 CET44349841188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:39.563416958 CET49841443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:39.563426971 CET44349841188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:40.243731022 CET44349841188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:40.243865967 CET49841443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:40.243896961 CET44349841188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:40.243931055 CET44349841188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:40.243954897 CET49841443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:40.243978024 CET49841443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:40.244009972 CET49841443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:40.244029999 CET44349841188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:40.418085098 CET49847443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:40.418154001 CET44349847188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:40.418222904 CET49847443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:40.420860052 CET49847443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:40.420892000 CET44349847188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:41.875370979 CET44349847188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:41.875564098 CET49847443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:41.875940084 CET49847443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:41.875974894 CET44349847188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:41.876113892 CET49847443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:41.876127958 CET44349847188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:42.558621883 CET44349847188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:42.558793068 CET44349847188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:42.558814049 CET49847443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:42.558861971 CET49847443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:42.558954954 CET49847443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:42.558985949 CET44349847188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:42.675018072 CET49853443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:42.675096035 CET44349853188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:42.675164938 CET49853443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:42.681058884 CET49853443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:42.681087017 CET44349853188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:44.250284910 CET44349853188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:44.250375032 CET49853443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:44.250863075 CET49853443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:44.250881910 CET44349853188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:44.251040936 CET49853443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:44.251054049 CET44349853188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:44.941123009 CET44349853188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:44.941203117 CET49853443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:44.941236973 CET44349853188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:44.941281080 CET44349853188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:44.941292048 CET49853443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:44.941339970 CET49853443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:44.941422939 CET49853443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:44.941447973 CET44349853188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:45.049978971 CET49858443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:45.050035954 CET44349858188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:45.050122023 CET49858443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:45.050378084 CET49858443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:45.050407887 CET44349858188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:46.507360935 CET44349858188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:46.507483006 CET49858443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:46.507971048 CET49858443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:46.507983923 CET44349858188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:46.508153915 CET49858443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:46.508161068 CET44349858188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:47.188038111 CET44349858188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:47.188131094 CET49858443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:47.188159943 CET44349858188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:47.188224077 CET49858443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:47.188247919 CET44349858188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:47.188307047 CET49858443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:47.188385010 CET49858443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:47.188416958 CET44349858188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:47.299690962 CET49864443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:47.299779892 CET44349864188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:47.299864054 CET49864443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:47.300101042 CET49864443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:47.300138950 CET44349864188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:48.757745028 CET44349864188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:48.757872105 CET49864443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:48.758325100 CET49864443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:48.758346081 CET44349864188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:48.758488894 CET49864443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:48.758507013 CET44349864188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:49.440839052 CET44349864188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:49.440943956 CET49864443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:49.441004992 CET44349864188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:49.441045046 CET44349864188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:49.441160917 CET49864443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:49.441160917 CET49864443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:49.441219091 CET49864443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:49.441251040 CET44349864188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:49.550422907 CET49870443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:49.550492048 CET44349870188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:49.550597906 CET49870443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:49.550925016 CET49870443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:49.550955057 CET44349870188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:51.200212955 CET44349870188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:51.200303078 CET49870443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:51.200828075 CET49870443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:51.200859070 CET44349870188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:51.200987101 CET49870443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:51.200999022 CET44349870188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:51.885432005 CET44349870188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:51.885507107 CET49870443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:51.885524035 CET44349870188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:51.885576963 CET49870443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:51.885598898 CET44349870188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:51.885652065 CET49870443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:51.941696882 CET49870443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:51.941710949 CET44349870188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:52.112401009 CET49881443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:52.112488985 CET44349881188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:52.112570047 CET49881443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:52.112896919 CET49881443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:52.112934113 CET44349881188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:53.590475082 CET44349881188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:53.590553045 CET49881443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:53.591061115 CET49881443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:53.591088057 CET44349881188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:53.591208935 CET49881443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:53.591223001 CET44349881188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:54.361747026 CET44349881188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:54.361829042 CET49881443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:54.361891985 CET44349881188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:54.361923933 CET44349881188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:54.361957073 CET49881443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:54.361989021 CET49881443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:54.389821053 CET49881443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:54.389853001 CET44349881188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:54.610147953 CET49887443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:54.610198021 CET44349887188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:54.610275984 CET49887443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:54.635360956 CET49887443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:54.635394096 CET44349887188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:56.095448017 CET44349887188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:56.095549107 CET49887443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:56.095963001 CET49887443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:56.095980883 CET44349887188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:56.096157074 CET49887443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:56.096168995 CET44349887188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:56.780098915 CET44349887188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:56.780179024 CET49887443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:56.780200958 CET44349887188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:56.780249119 CET49887443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:56.780287981 CET44349887188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:56.780359030 CET49887443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:56.780428886 CET49887443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:56.780441999 CET44349887188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:56.893589973 CET49893443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:56.893637896 CET44349893188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:56.893738031 CET49893443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:56.893956900 CET49893443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:56.893975019 CET44349893188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:58.350301027 CET44349893188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:58.350485086 CET49893443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:58.350867033 CET49893443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:58.350881100 CET44349893188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:58.353355885 CET49893443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:58.353367090 CET44349893188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:59.033806086 CET44349893188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:59.033962011 CET44349893188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:59.034045935 CET49893443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:59.046480894 CET49893443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:59.046504974 CET44349893188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:59.185096979 CET49899443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:59.185221910 CET44349899188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:41:59.185909033 CET49899443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:59.186177969 CET49899443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:41:59.186219931 CET44349899188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:00.749514103 CET44349899188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:00.749705076 CET49899443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:00.749959946 CET49899443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:00.749983072 CET44349899188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:00.752768993 CET49899443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:00.752783060 CET44349899188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:01.508749962 CET44349899188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:01.508956909 CET44349899188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:01.509084940 CET49899443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:01.509576082 CET49899443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:01.509618998 CET44349899188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:01.631844044 CET49905443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:01.631875992 CET44349905188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:01.635276079 CET49905443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:01.635679960 CET49905443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:01.635691881 CET44349905188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:03.096247911 CET44349905188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:03.097259998 CET49905443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:03.168203115 CET49905443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:03.168206930 CET44349905188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:03.173160076 CET49905443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:03.173163891 CET44349905188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:03.778222084 CET44349905188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:03.778377056 CET44349905188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:03.778460979 CET49905443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:03.778656006 CET49905443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:03.778664112 CET44349905188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:03.898801088 CET49911443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:03.898838997 CET44349911188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:03.898902893 CET49911443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:03.899194956 CET49911443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:03.899210930 CET44349911188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:05.481182098 CET44349911188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:05.481336117 CET49911443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:05.482036114 CET49911443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:05.482040882 CET44349911188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:05.483969927 CET49911443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:05.483975887 CET44349911188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:06.180639982 CET44349911188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:06.180711031 CET49911443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:06.180721998 CET44349911188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:06.180763960 CET49911443192.168.2.4188.119.66.185
                                                                                                          Dec 23, 2024 11:42:06.180805922 CET44349911188.119.66.185192.168.2.4
                                                                                                          Dec 23, 2024 11:42:06.180871964 CET49911443192.168.2.4188.119.66.185

                                                                                                          HTTP Request Dependency Graph

                                                                                                          • 188.119.66.185

                                                                                                          HTTPS Proxied Packets

                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          0192.168.2.449736188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:40:55 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2119d7368d HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:40:56 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:40:56 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:40:56 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          1192.168.2.449737188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:40:58 UTC283OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b82a8dcd6c946851e30088883250aa15d105633775b0e650f2ba1e9c95b1c92975ccf55bc592fe5a818ece02a1b7e2984c57cad7021dda3a2119d7368d HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:40:58 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:40:58 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:40:58 UTC686INData Raw: 32 61 32 0d 0a 38 62 37 32 33 63 36 38 65 65 31 38 34 30 33 63 36 36 30 66 62 66 65 30 33 38 34 63 32 37 62 36 62 63 38 66 38 30 32 32 34 63 62 64 33 62 63 31 39 30 32 34 39 66 37 65 31 36 66 65 30 34 64 64 65 37 36 37 34 62 62 33 35 63 38 64 31 65 33 66 37 38 37 61 61 30 61 66 30 64 39 62 66 35 30 31 64 32 39 39 62 32 63 61 32 39 37 37 64 33 65 61 35 33 63 36 38 38 66 65 34 66 64 64 64 33 39 66 35 35 61 63 62 64 66 35 63 35 30 61 31 64 63 36 64 35 30 37 30 30 64 63 33 32 32 36 30 37 64 32 33 32 38 39 64 65 64 33 39 34 35 64 34 38 63 32 37 37 33 63 65 37 64 63 30 32 35 34 37 31 31 32 37 30 63 66 65 64 31 37 37 36 62 33 66 30 35 66 61 65 65 65 65 30 35 33 61 64 37 63 64 38 63 63 32 32 65 62 66 37 63 37 66 32 34 62 31 36 38 38 35 32 39 62 33 65 61 66 33 34
                                                                                                          Data Ascii: 2a28b723c68ee18403c660fbfe0384c27b6bc8f80224cbd3bc190249f7e16fe04dde7674bb35c8d1e3f787aa0af0d9bf501d299b2ca2977d3ea53c688fe4fddd39f55acbdf5c50a1dc6d50700dc322607d23289ded3945d48c2773ce7dc0254711270cfed1776b3f05faeeee053ad7cd8cc22ebf7c7f24b1688529b3eaf34


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          2192.168.2.449746188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:03 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:04 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:04 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:04 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          3192.168.2.449752188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:06 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:06 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:06 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:06 UTC542INData Raw: 32 31 32 0d 0a 38 62 37 32 32 61 37 37 65 34 31 66 35 35 32 63 33 34 34 38 61 33 65 34 36 64 32 30 37 66 65 38 62 33 38 66 38 36 33 66 35 33 62 61 33 64 63 31 39 33 32 37 38 37 36 64 34 34 62 31 34 31 38 35 38 38 32 34 30 37 65 62 31 63 64 37 30 64 33 65 36 64 32 39 66 62 65 39 35 34 66 36 62 32 34 30 64 64 39 64 62 61 63 38 33 37 37 35 64 32 66 66 35 35 63 64 38 38 66 61 34 38 64 36 63 63 39 64 35 37 61 65 61 38 66 37 63 31 30 32 30 30 63 37 64 36 30 35 31 35 64 66 33 34 32 63 30 37 64 35 33 33 39 32 64 30 64 33 38 61 35 63 34 65 63 65 37 61 33 35 66 39 64 64 30 36 35 65 36 39 31 38 36 63 63 66 66 30 31 31 36 38 62 64 66 35 34 31 61 66 65 61 65 31 35 37 61 61 37 34 63 64 63 62 32 31 66 36 65 64 63 37 65 35 34 66 30 65 38 65 35 38 39 38 32 30 61 64 33 36
                                                                                                          Data Ascii: 2128b722a77e41f552c3448a3e46d207fe8b38f863f53ba3dc19327876d44b14185882407eb1cd70d3e6d29fbe954f6b240dd9dbac83775d2ff55cd88fa48d6cc9d57aea8f7c10200c7d60515df342c07d53392d0d38a5c4ece7a35f9dd065e69186ccff01168bdf541afeae157aa74cdcb21f6edc7e54f0e8e589820ad36


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          4192.168.2.449759188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:08 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:09 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:09 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:09 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          5192.168.2.449765188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:11 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:11 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:11 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:11 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          6192.168.2.449771188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:13 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:14 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:13 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:14 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          7192.168.2.449777188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:15 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:16 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:16 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:16 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          8192.168.2.449783188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:17 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:18 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:18 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:18 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          9192.168.2.449789188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:20 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:21 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:20 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:21 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          10192.168.2.449800188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:22 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:23 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:23 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:23 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          11192.168.2.449806188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:25 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:25 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:25 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:25 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          12192.168.2.449811188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:27 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:28 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:28 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:28 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          13192.168.2.449817188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:30 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:30 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:30 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:30 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          14192.168.2.449823188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:32 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:33 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:32 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:33 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          15192.168.2.449829188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:34 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:35 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:35 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:35 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          16192.168.2.449835188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:37 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:37 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:37 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:37 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          17192.168.2.449841188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:39 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:40 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:40 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:40 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          18192.168.2.449847188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:41 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:42 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:42 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:42 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          19192.168.2.449853188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:44 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:44 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:44 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:44 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          20192.168.2.449858188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:46 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:47 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:46 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:47 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          21192.168.2.449864188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:48 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:49 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:49 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:49 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          22192.168.2.449870188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:51 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:51 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:51 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:51 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          23192.168.2.449881188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:53 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:54 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:54 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:54 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          24192.168.2.449887188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:56 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:56 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:56 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:56 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          25192.168.2.449893188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:41:58 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:41:59 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:41:58 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:41:59 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          26192.168.2.449899188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:42:00 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:42:01 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:42:01 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:42:01 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          27192.168.2.449905188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:42:03 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:42:03 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:42:03 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:42:03 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                          28192.168.2.449911188.119.66.1854436568C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          TimestampBytes transferredDirectionData
                                                                                                          2024-12-23 10:42:05 UTC291OUTGET /ai/?key=8f3f2b3ab14e166f251de6a5231e72eee7c4db7e40b92a8dcd6c946943b848859e7c4ce718c34f7f632ff3b70caaf94cda9ea6967478d3f44cc588fa45d7d69a43faeaa5960502d18f414ad332231ad73989d4d6925c HTTP/1.1
                                                                                                          User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                          Host: 188.119.66.185
                                                                                                          2024-12-23 10:42:06 UTC200INHTTP/1.1 200 OK
                                                                                                          Server: nginx/1.18.0 (Ubuntu)
                                                                                                          Date: Mon, 23 Dec 2024 10:42:05 GMT
                                                                                                          Content-Type: text/html; charset=UTF-8
                                                                                                          Transfer-Encoding: chunked
                                                                                                          Connection: close
                                                                                                          X-Powered-By: PHP/7.4.33
                                                                                                          2024-12-23 10:42:06 UTC24INData Raw: 65 0d 0a 38 62 37 32 33 36 36 33 65 63 31 33 32 35 0d 0a 30 0d 0a 0d 0a
                                                                                                          Data Ascii: e8b723663ec13250


                                                                                                          Statistics

                                                                                                          CPU Usage

                                                                                                          Click to jump to process

                                                                                                          Memory Usage

                                                                                                          Click to jump to process

                                                                                                          High Level Behavior Distribution

                                                                                                          Click to dive into process behavior distribution

                                                                                                          Behavior

                                                                                                          Click to jump to process

                                                                                                          System Behavior

                                                                                                          General

                                                                                                          Target ID:0
                                                                                                          Start time:05:39:59
                                                                                                          Start date:23/12/2024
                                                                                                          Path:C:\Users\user\Desktop\EQ5Vcf19u8.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\Desktop\EQ5Vcf19u8.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:3'335'813 bytes
                                                                                                          MD5 hash:849F1E782AEF6FC885225F115DB43236
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:1
                                                                                                          Start time:05:39:59
                                                                                                          Start date:23/12/2024
                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-A7EG4.tmp\EQ5Vcf19u8.tmp" /SL5="$1041E,3086842,56832,C:\Users\user\Desktop\EQ5Vcf19u8.exe"
                                                                                                          Imagebase:0x400000
                                                                                                          File size:706'560 bytes
                                                                                                          MD5 hash:BCF2F0322A00DC0DE9B0CAE39438B480
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000001.00000002.2922409932.0000000005A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 3%, ReversingLabs
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          General

                                                                                                          Target ID:2
                                                                                                          Start time:05:40:00
                                                                                                          Start date:23/12/2024
                                                                                                          Path:C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                          Wow64 process (32bit):true
                                                                                                          Commandline:"C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe" -i
                                                                                                          Imagebase:0x400000
                                                                                                          File size:2'776'237 bytes
                                                                                                          MD5 hash:765448A33166E70D7C75392D7E8FC161
                                                                                                          Has elevated privileges:true
                                                                                                          Has administrator privileges:true
                                                                                                          Programmed in:C, C++ or other language
                                                                                                          Yara matches:
                                                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000000.1677490068.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000002.00000002.2922331193.0000000002ACD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe, Author: Joe Security
                                                                                                          Antivirus matches:
                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                          Reputation:low
                                                                                                          Has exited:false

                                                                                                          Disassembly

                                                                                                          Reset < >

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:21.4%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:2.4%
                                                                                                            Total number of Nodes:1520
                                                                                                            Total number of Limit Nodes:22
                                                                                                            execution_graph 5451 407548 5452 407554 CloseHandle 5451->5452 5453 40755d 5451->5453 5452->5453 6688 402b48 RaiseException 5893 407749 5894 4076dc WriteFile 5893->5894 5899 407724 5893->5899 5895 4076e8 5894->5895 5896 4076ef 5894->5896 5897 40748c 35 API calls 5895->5897 5898 407700 5896->5898 5900 4073ec 34 API calls 5896->5900 5897->5896 5899->5893 5901 4077e0 5899->5901 5900->5898 5902 4078db InterlockedExchange 5901->5902 5904 407890 5901->5904 5903 4078e7 5902->5903 6689 40294a 6690 402952 6689->6690 6691 403554 4 API calls 6690->6691 6692 402967 6690->6692 6691->6690 6693 403f4a 6694 403f53 6693->6694 6695 403f5c 6693->6695 6697 403f07 6694->6697 6700 403f09 6697->6700 6699 403f3c 6699->6695 6702 403e9c 6700->6702 6703 403154 4 API calls 6700->6703 6707 403f3d 6700->6707 6720 403e9c 6700->6720 6701 403ef2 6705 402674 4 API calls 6701->6705 6702->6699 6702->6701 6709 403ea9 6702->6709 6711 403e8e 6702->6711 6703->6700 6708 403ecf 6705->6708 6707->6695 6708->6695 6709->6708 6710 402674 4 API calls 6709->6710 6710->6708 6712 403e4c 6711->6712 6713 403e67 6712->6713 6714 403e62 6712->6714 6715 403e7b 6712->6715 6718 403e78 6713->6718 6719 402674 4 API calls 6713->6719 6717 403cc8 4 API calls 6714->6717 6716 402674 4 API calls 6715->6716 6716->6718 6717->6713 6718->6701 6718->6709 6719->6718 6721 403ed7 6720->6721 6726 403ea9 6720->6726 6722 403ef2 6721->6722 6723 403e8e 4 API calls 6721->6723 6724 402674 4 API calls 6722->6724 6725 403ee6 6723->6725 6728 403ecf 6724->6728 6725->6722 6725->6726 6727 402674 4 API calls 6726->6727 6726->6728 6727->6728 6728->6700 6247 40ac4f 6248 40abc1 6247->6248 6249 4094d8 9 API calls 6248->6249 6251 40abed 6248->6251 6249->6251 6250 40ac06 6252 40ac1a 6250->6252 6253 40ac0f DestroyWindow 6250->6253 6251->6250 6254 40ac00 RemoveDirectoryA 6251->6254 6255 40ac42 6252->6255 6256 40357c 4 API calls 6252->6256 6253->6252 6254->6250 6257 40ac38 6256->6257 6258 4025ac 4 API calls 6257->6258 6258->6255 6259 403a52 6260 403a5a WriteFile 6259->6260 6262 403a74 6259->6262 6261 403a78 GetLastError 6260->6261 6260->6262 6261->6262 6263 402654 6264 403154 4 API calls 6263->6264 6265 402614 6264->6265 6266 402632 6265->6266 6267 403154 4 API calls 6265->6267 6267->6266 6268 40ac56 6269 40ac5d 6268->6269 6271 40ac88 6268->6271 6278 409448 6269->6278 6273 403198 4 API calls 6271->6273 6272 40ac62 6272->6271 6275 40ac80 MessageBoxA 6272->6275 6274 40acc0 6273->6274 6276 403198 4 API calls 6274->6276 6275->6271 6277 40acc8 6276->6277 6279 409454 GetCurrentProcess OpenProcessToken 6278->6279 6280 4094af ExitWindowsEx 6278->6280 6281 409466 6279->6281 6282 40946a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6279->6282 6280->6281 6281->6272 6282->6280 6282->6281 6737 40995e 6738 409960 6737->6738 6739 409982 6738->6739 6740 40999e CallWindowProcA 6738->6740 6740->6739 6741 409960 6742 409982 6741->6742 6743 40996f 6741->6743 6743->6742 6744 40999e CallWindowProcA 6743->6744 6744->6742 6745 405160 6746 405173 6745->6746 6747 404e58 33 API calls 6746->6747 6748 405187 6747->6748 6283 402e64 6284 402e69 6283->6284 6285 402e7a RtlUnwind 6284->6285 6286 402e5e 6284->6286 6287 402e9d 6285->6287 5905 40766c SetFilePointer 5906 4076a3 5905->5906 5907 407693 GetLastError 5905->5907 5907->5906 5908 40769c 5907->5908 5909 40748c 35 API calls 5908->5909 5909->5906 6300 40667c IsDBCSLeadByte 6301 406694 6300->6301 6761 403f7d 6762 403fa2 6761->6762 6763 403f84 6761->6763 6762->6763 6765 403e8e 4 API calls 6762->6765 6764 403f8c 6763->6764 6766 402674 4 API calls 6763->6766 6765->6763 6767 403fca 6766->6767 6768 403d02 6770 403d12 6768->6770 6769 403ddf ExitProcess 6770->6769 6771 403db8 6770->6771 6774 403dea 6770->6774 6778 403da4 6770->6778 6779 403d8f MessageBoxA 6770->6779 6772 403cc8 4 API calls 6771->6772 6773 403dc2 6772->6773 6775 403cc8 4 API calls 6773->6775 6776 403dcc 6775->6776 6788 4019dc 6776->6788 6784 403fe4 6778->6784 6779->6771 6780 403dd1 6780->6769 6780->6774 6785 403fe8 6784->6785 6786 403f07 4 API calls 6785->6786 6787 404006 6786->6787 6789 401abb 6788->6789 6790 4019ed 6788->6790 6789->6780 6791 401a04 RtlEnterCriticalSection 6790->6791 6792 401a0e LocalFree 6790->6792 6791->6792 6793 401a41 6792->6793 6794 401a2f VirtualFree 6793->6794 6795 401a49 6793->6795 6794->6793 6796 401a70 LocalFree 6795->6796 6797 401a87 6795->6797 6796->6796 6796->6797 6798 401aa9 RtlDeleteCriticalSection 6797->6798 6799 401a9f RtlLeaveCriticalSection 6797->6799 6798->6780 6799->6798 6306 404206 6307 4041cc 6306->6307 6308 40420a 6306->6308 6309 403154 4 API calls 6308->6309 6310 404282 6308->6310 6311 404323 6309->6311 6312 402c08 6313 402c82 6312->6313 6316 402c19 6312->6316 6314 402c56 RtlUnwind 6315 403154 4 API calls 6314->6315 6315->6313 6316->6313 6316->6314 6319 402b28 6316->6319 6320 402b31 RaiseException 6319->6320 6321 402b47 6319->6321 6320->6321 6321->6314 6322 408c10 6323 408c17 6322->6323 6324 403198 4 API calls 6323->6324 6332 408cb1 6324->6332 6325 408cdc 6326 4031b8 4 API calls 6325->6326 6327 408d69 6326->6327 6328 408cc8 6330 4032fc 18 API calls 6328->6330 6329 403278 18 API calls 6329->6332 6330->6325 6331 4032fc 18 API calls 6331->6332 6332->6325 6332->6328 6332->6329 6332->6331 6337 40a814 6338 40a839 6337->6338 6339 40993c 29 API calls 6338->6339 6342 40a83e 6339->6342 6340 40a891 6371 4026c4 GetSystemTime 6340->6371 6342->6340 6345 408dd8 18 API calls 6342->6345 6343 40a896 6344 409330 46 API calls 6343->6344 6346 40a89e 6344->6346 6347 40a86d 6345->6347 6348 4031e8 18 API calls 6346->6348 6351 40a875 MessageBoxA 6347->6351 6349 40a8ab 6348->6349 6350 406928 19 API calls 6349->6350 6352 40a8b8 6350->6352 6351->6340 6353 40a882 6351->6353 6354 4066c0 19 API calls 6352->6354 6355 405864 19 API calls 6353->6355 6356 40a8c8 6354->6356 6355->6340 6357 406638 19 API calls 6356->6357 6358 40a8d9 6357->6358 6359 403340 18 API calls 6358->6359 6360 40a8e7 6359->6360 6361 4031e8 18 API calls 6360->6361 6362 40a8f7 6361->6362 6363 4074e0 37 API calls 6362->6363 6364 40a936 6363->6364 6365 402594 18 API calls 6364->6365 6366 40a956 6365->6366 6367 407a28 19 API calls 6366->6367 6368 40a998 6367->6368 6369 407cb8 35 API calls 6368->6369 6370 40a9bf 6369->6370 6371->6343 5449 407017 5450 407008 SetErrorMode 5449->5450 6372 403018 6373 403070 6372->6373 6374 403025 6372->6374 6375 40302a RtlUnwind 6374->6375 6376 40304e 6375->6376 6378 402f78 6376->6378 6379 402be8 6376->6379 6380 402bf1 RaiseException 6379->6380 6381 402c04 6379->6381 6380->6381 6381->6373 6386 40901e 6387 409010 6386->6387 6388 408fac Wow64RevertWow64FsRedirection 6387->6388 6389 409018 6388->6389 6390 409020 SetLastError 6391 409029 6390->6391 6406 403a28 ReadFile 6407 403a46 6406->6407 6408 403a49 GetLastError 6406->6408 5910 40762c ReadFile 5911 407663 5910->5911 5912 40764c 5910->5912 5913 407652 GetLastError 5912->5913 5914 40765c 5912->5914 5913->5911 5913->5914 5915 40748c 35 API calls 5914->5915 5915->5911 6810 40712e 6811 407118 6810->6811 6812 403198 4 API calls 6811->6812 6813 407120 6812->6813 6814 403198 4 API calls 6813->6814 6815 407128 6814->6815 5930 40a82f 5931 409ae8 18 API calls 5930->5931 5932 40a834 5931->5932 5933 40a839 5932->5933 5934 402f24 5 API calls 5932->5934 5967 40993c 5933->5967 5934->5933 5936 40a891 5972 4026c4 GetSystemTime 5936->5972 5938 40a83e 5938->5936 6033 408dd8 5938->6033 5939 40a896 5973 409330 5939->5973 5943 40a86d 5947 40a875 MessageBoxA 5943->5947 5944 4031e8 18 API calls 5945 40a8ab 5944->5945 5991 406928 5945->5991 5947->5936 5949 40a882 5947->5949 6036 405864 5949->6036 5954 40a8d9 6018 403340 5954->6018 5956 40a8e7 5957 4031e8 18 API calls 5956->5957 5958 40a8f7 5957->5958 5959 4074e0 37 API calls 5958->5959 5960 40a936 5959->5960 5961 402594 18 API calls 5960->5961 5962 40a956 5961->5962 5963 407a28 19 API calls 5962->5963 5964 40a998 5963->5964 5965 407cb8 35 API calls 5964->5965 5966 40a9bf 5965->5966 6040 40953c 5967->6040 5970 4098cc 19 API calls 5971 40995c 5970->5971 5971->5938 5972->5939 5976 409350 5973->5976 5977 409375 CreateDirectoryA 5976->5977 5981 408dd8 18 API calls 5976->5981 5983 404c94 33 API calls 5976->5983 5986 407284 19 API calls 5976->5986 5989 408da8 18 API calls 5976->5989 5990 405890 18 API calls 5976->5990 6096 406cf4 5976->6096 6119 409224 5976->6119 5978 4093ed 5977->5978 5979 40937f GetLastError 5977->5979 5980 40322c 4 API calls 5978->5980 5979->5976 5982 4093f7 5980->5982 5981->5976 5984 4031b8 4 API calls 5982->5984 5983->5976 5985 409411 5984->5985 5987 4031b8 4 API calls 5985->5987 5986->5976 5988 40941e 5987->5988 5988->5944 5989->5976 5990->5976 6225 406820 5991->6225 5994 403454 18 API calls 5995 40694a 5994->5995 5996 4066c0 5995->5996 6230 4068e4 5996->6230 5999 4066f0 6002 403340 18 API calls 5999->6002 6000 4066fe 6001 403454 18 API calls 6000->6001 6003 406711 6001->6003 6004 4066fc 6002->6004 6005 403340 18 API calls 6003->6005 6006 403198 4 API calls 6004->6006 6005->6004 6007 406733 6006->6007 6008 406638 6007->6008 6009 406642 6008->6009 6010 406665 6008->6010 6236 406950 6009->6236 6012 40322c 4 API calls 6010->6012 6014 40666e 6012->6014 6013 406649 6013->6010 6015 406654 6013->6015 6014->5954 6016 403340 18 API calls 6015->6016 6017 406662 6016->6017 6017->5954 6019 403344 6018->6019 6020 4033a5 6018->6020 6021 4031e8 6019->6021 6022 40334c 6019->6022 6026 403254 18 API calls 6021->6026 6028 4031fc 6021->6028 6022->6020 6024 40335b 6022->6024 6027 4031e8 18 API calls 6022->6027 6023 403228 6023->5956 6025 403254 18 API calls 6024->6025 6030 403375 6025->6030 6026->6028 6027->6024 6028->6023 6029 4025ac 4 API calls 6028->6029 6029->6023 6031 4031e8 18 API calls 6030->6031 6032 4033a1 6031->6032 6032->5956 6034 408da8 18 API calls 6033->6034 6035 408df4 6034->6035 6035->5943 6037 405869 6036->6037 6038 405940 19 API calls 6037->6038 6039 40587b 6038->6039 6039->6039 6046 40955b 6040->6046 6041 409590 6043 40959d GetUserDefaultLangID 6041->6043 6048 409592 6041->6048 6042 409594 6052 407024 GetModuleHandleA GetProcAddress 6042->6052 6043->6048 6046->6041 6046->6042 6047 40956f 6046->6047 6047->5970 6048->6047 6049 4095cb GetACP 6048->6049 6050 4095ef 6048->6050 6049->6047 6049->6048 6050->6047 6051 409615 GetACP 6050->6051 6051->6047 6051->6050 6053 407067 6052->6053 6054 40705e 6052->6054 6055 407070 6053->6055 6056 4070a8 6053->6056 6063 403198 4 API calls 6054->6063 6073 406f68 6055->6073 6057 406f68 RegOpenKeyExA 6056->6057 6061 4070c1 6057->6061 6059 407089 6060 4070de 6059->6060 6076 406f5c 6059->6076 6065 40322c 4 API calls 6060->6065 6061->6060 6064 406f5c 20 API calls 6061->6064 6067 407120 6063->6067 6068 4070d5 RegCloseKey 6064->6068 6069 4070eb 6065->6069 6070 403198 4 API calls 6067->6070 6068->6060 6071 4032fc 18 API calls 6069->6071 6072 407128 6070->6072 6071->6054 6072->6048 6074 406f73 6073->6074 6075 406f79 RegOpenKeyExA 6073->6075 6074->6075 6075->6059 6079 406e10 6076->6079 6080 406e36 RegQueryValueExA 6079->6080 6085 406e7b 6080->6085 6087 406e59 6080->6087 6081 406e73 6083 403198 4 API calls 6081->6083 6082 403198 4 API calls 6084 406f47 RegCloseKey 6082->6084 6083->6085 6084->6060 6085->6082 6086 403278 18 API calls 6086->6087 6087->6081 6087->6085 6087->6086 6088 403420 18 API calls 6087->6088 6089 406eb0 RegQueryValueExA 6088->6089 6089->6080 6090 406ecc 6089->6090 6090->6085 6091 4034f0 18 API calls 6090->6091 6092 406f0e 6091->6092 6093 406f20 6092->6093 6095 403420 18 API calls 6092->6095 6094 4031e8 18 API calls 6093->6094 6094->6085 6095->6093 6138 406a58 6096->6138 6099 406d26 6101 406a58 19 API calls 6099->6101 6103 406d72 6099->6103 6102 406d36 6101->6102 6104 406d42 6102->6104 6107 406a34 21 API calls 6102->6107 6146 406888 6103->6146 6104->6103 6105 406d67 6104->6105 6108 406a58 19 API calls 6104->6108 6105->6103 6158 406cc8 GetWindowsDirectoryA 6105->6158 6107->6104 6111 406d5b 6108->6111 6111->6105 6114 406a34 21 API calls 6111->6114 6112 406638 19 API calls 6113 406d87 6112->6113 6115 40322c 4 API calls 6113->6115 6114->6105 6116 406d91 6115->6116 6117 4031b8 4 API calls 6116->6117 6118 406dab 6117->6118 6118->5976 6120 409244 6119->6120 6121 406638 19 API calls 6120->6121 6122 40925d 6121->6122 6123 40322c 4 API calls 6122->6123 6130 409268 6123->6130 6124 406978 20 API calls 6124->6130 6126 408dd8 18 API calls 6126->6130 6127 4033b4 18 API calls 6127->6130 6129 405890 18 API calls 6129->6130 6130->6124 6130->6126 6130->6127 6130->6129 6131 4092e4 6130->6131 6198 4091b0 6130->6198 6206 409034 6130->6206 6132 40322c 4 API calls 6131->6132 6133 4092ef 6132->6133 6134 4031b8 4 API calls 6133->6134 6135 409309 6134->6135 6136 403198 4 API calls 6135->6136 6137 409311 6136->6137 6137->5976 6139 4034f0 18 API calls 6138->6139 6140 406a6b 6139->6140 6141 406a82 GetEnvironmentVariableA 6140->6141 6145 406a95 6140->6145 6160 406dec 6140->6160 6141->6140 6142 406a8e 6141->6142 6143 403198 4 API calls 6142->6143 6143->6145 6145->6099 6155 406a34 6145->6155 6147 403414 6146->6147 6148 4068ab GetFullPathNameA 6147->6148 6149 4068b7 6148->6149 6150 4068ce 6148->6150 6149->6150 6151 4068bf 6149->6151 6152 40322c 4 API calls 6150->6152 6153 403278 18 API calls 6151->6153 6154 4068cc 6152->6154 6153->6154 6154->6112 6164 4069dc 6155->6164 6159 406ce9 6158->6159 6159->6103 6161 406dfa 6160->6161 6162 4034f0 18 API calls 6161->6162 6163 406e08 6162->6163 6163->6140 6171 406978 6164->6171 6166 4069fe 6167 406a06 GetFileAttributesA 6166->6167 6168 406a1b 6167->6168 6169 403198 4 API calls 6168->6169 6170 406a23 6169->6170 6170->6099 6181 406744 6171->6181 6173 4069b0 6176 4069c6 6173->6176 6177 4069bb 6173->6177 6175 406989 6175->6173 6188 406970 CharPrevA 6175->6188 6189 403454 6176->6189 6178 40322c 4 API calls 6177->6178 6180 4069c4 6178->6180 6180->6166 6182 406755 6181->6182 6183 4067b9 6182->6183 6187 406773 6182->6187 6184 406680 IsDBCSLeadByte 6183->6184 6185 4067b4 6183->6185 6184->6185 6185->6175 6187->6185 6196 406680 IsDBCSLeadByte 6187->6196 6188->6175 6190 403486 6189->6190 6191 403459 6189->6191 6192 403198 4 API calls 6190->6192 6191->6190 6194 40346d 6191->6194 6193 40347c 6192->6193 6193->6180 6195 403278 18 API calls 6194->6195 6195->6193 6197 406694 6196->6197 6197->6187 6199 403198 4 API calls 6198->6199 6201 4091d1 6199->6201 6203 4091fe 6201->6203 6215 4032a8 6201->6215 6218 403494 6201->6218 6204 403198 4 API calls 6203->6204 6205 409213 6204->6205 6205->6130 6207 408f70 2 API calls 6206->6207 6208 40904a 6207->6208 6209 40904e 6208->6209 6222 406a48 6208->6222 6209->6130 6212 409081 6213 408fac Wow64RevertWow64FsRedirection 6212->6213 6214 409089 6213->6214 6214->6130 6216 403278 18 API calls 6215->6216 6217 4032b5 6216->6217 6217->6201 6219 403498 6218->6219 6221 4034c3 6218->6221 6220 4034f0 18 API calls 6219->6220 6220->6221 6221->6201 6223 4069dc 21 API calls 6222->6223 6224 406a52 GetLastError 6223->6224 6224->6212 6226 406744 IsDBCSLeadByte 6225->6226 6228 406835 6226->6228 6227 40687f 6227->5994 6228->6227 6229 406680 IsDBCSLeadByte 6228->6229 6229->6228 6231 4068f3 6230->6231 6232 406820 IsDBCSLeadByte 6231->6232 6235 4068fe 6232->6235 6233 4066ea 6233->5999 6233->6000 6234 406680 IsDBCSLeadByte 6234->6235 6235->6233 6235->6234 6237 406957 6236->6237 6238 40695b 6236->6238 6237->6013 6241 406970 CharPrevA 6238->6241 6240 40696c 6240->6013 6241->6240 6816 408f30 6819 408dfc 6816->6819 6820 408e05 6819->6820 6821 403198 4 API calls 6820->6821 6822 408e13 6820->6822 6821->6820 6823 403932 6824 403924 6823->6824 6825 40374c VariantClear 6824->6825 6826 40392c 6825->6826 5386 4075c4 SetFilePointer 5387 4075f7 5386->5387 5388 4075e7 GetLastError 5386->5388 5388->5387 5389 4075f0 5388->5389 5391 40748c GetLastError 5389->5391 5394 4073ec 5391->5394 5395 407284 19 API calls 5394->5395 5397 407414 5395->5397 5396 407434 5399 405890 18 API calls 5396->5399 5397->5396 5398 405194 33 API calls 5397->5398 5398->5396 5400 407443 5399->5400 5401 403198 4 API calls 5400->5401 5402 407460 5401->5402 5402->5387 6417 4076c8 WriteFile 6418 4076e8 6417->6418 6421 4076ef 6417->6421 6419 40748c 35 API calls 6418->6419 6419->6421 6420 407700 6421->6420 6422 4073ec 34 API calls 6421->6422 6422->6420 6423 402ccc 6426 402cfe 6423->6426 6427 402cdd 6423->6427 6424 402d88 RtlUnwind 6425 403154 4 API calls 6424->6425 6425->6426 6427->6424 6427->6426 6428 402b28 RaiseException 6427->6428 6429 402d7f 6428->6429 6429->6424 6835 403fcd 6836 403f07 4 API calls 6835->6836 6837 403fd6 6836->6837 6838 403e9c 4 API calls 6837->6838 6839 403fe2 6838->6839 6436 4024d0 6437 4024e4 6436->6437 6438 4024e9 6436->6438 6441 401918 4 API calls 6437->6441 6439 402518 6438->6439 6440 40250e RtlEnterCriticalSection 6438->6440 6443 4024ed 6438->6443 6451 402300 6439->6451 6440->6439 6441->6438 6444 402525 6447 402581 6444->6447 6448 402577 RtlLeaveCriticalSection 6444->6448 6446 401fd4 14 API calls 6449 402531 6446->6449 6448->6447 6449->6444 6450 40215c 9 API calls 6449->6450 6450->6444 6452 402314 6451->6452 6454 4023b8 6452->6454 6455 402335 6452->6455 6453 402344 6453->6444 6453->6446 6454->6453 6456 401d80 9 API calls 6454->6456 6459 402455 6454->6459 6461 401e84 6454->6461 6455->6453 6457 401b74 9 API calls 6455->6457 6456->6454 6457->6453 6459->6453 6460 401d00 9 API calls 6459->6460 6460->6453 6466 401768 6461->6466 6463 401e99 6464 401ea6 6463->6464 6465 401dcc 9 API calls 6463->6465 6464->6454 6465->6464 6468 401787 6466->6468 6467 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6467->6468 6468->6467 6469 40183b 6468->6469 6470 40132c LocalAlloc 6468->6470 6472 401821 6468->6472 6474 4017d6 6468->6474 6471 4015c4 VirtualAlloc 6469->6471 6475 4017e7 6469->6475 6470->6468 6471->6475 6473 40150c VirtualFree 6472->6473 6473->6475 6476 40150c VirtualFree 6474->6476 6475->6463 6476->6475 6477 4028d2 6478 4028da 6477->6478 6479 403554 4 API calls 6478->6479 6480 4028ef 6478->6480 6479->6478 6481 4025ac 4 API calls 6480->6481 6482 4028f4 6481->6482 6840 4019d3 6841 4019ba 6840->6841 6842 4019c3 RtlLeaveCriticalSection 6841->6842 6843 4019cd 6841->6843 6842->6843 5403 407fd4 5404 407fe6 5403->5404 5405 407fed 5403->5405 5414 407f10 5404->5414 5407 408021 5405->5407 5408 408015 5405->5408 5409 408017 5405->5409 5410 40804e 5407->5410 5412 407d7c 33 API calls 5407->5412 5428 407e2c 5408->5428 5425 407d7c 5409->5425 5412->5410 5415 407f25 5414->5415 5416 407d7c 33 API calls 5415->5416 5417 407f34 5415->5417 5416->5417 5418 407f6e 5417->5418 5419 407d7c 33 API calls 5417->5419 5420 407f82 5418->5420 5421 407d7c 33 API calls 5418->5421 5419->5418 5424 407fae 5420->5424 5435 407eb8 5420->5435 5421->5420 5424->5405 5438 4058c4 5425->5438 5427 407d9e 5427->5407 5429 405194 33 API calls 5428->5429 5430 407e57 5429->5430 5446 407de4 5430->5446 5432 407e5f 5433 403198 4 API calls 5432->5433 5434 407e74 5433->5434 5434->5407 5436 407ec7 VirtualFree 5435->5436 5437 407ed9 VirtualAlloc 5435->5437 5436->5437 5437->5424 5440 4058d0 5438->5440 5439 405194 33 API calls 5441 4058fd 5439->5441 5440->5439 5442 4031e8 18 API calls 5441->5442 5443 405908 5442->5443 5444 403198 4 API calls 5443->5444 5445 40591d 5444->5445 5445->5427 5447 4058c4 33 API calls 5446->5447 5448 407e06 5447->5448 5448->5432 6483 405ad4 6484 405ae4 6483->6484 6485 405adc 6483->6485 6486 405ae2 6485->6486 6487 405aeb 6485->6487 6490 405a4c 6486->6490 6488 405940 19 API calls 6487->6488 6488->6484 6491 405a54 6490->6491 6492 405a6e 6491->6492 6493 403154 4 API calls 6491->6493 6494 405a73 6492->6494 6495 405a8a 6492->6495 6493->6491 6496 405940 19 API calls 6494->6496 6497 403154 4 API calls 6495->6497 6498 405a86 6496->6498 6499 405a8f 6497->6499 6501 403154 4 API calls 6498->6501 6500 4059b0 33 API calls 6499->6500 6500->6498 6502 405ab8 6501->6502 6503 403154 4 API calls 6502->6503 6504 405ac6 6503->6504 6504->6484 5916 40a9de 5917 40aa03 5916->5917 5918 407918 InterlockedExchange 5917->5918 5919 40aa2d 5918->5919 5920 40aa3d 5919->5920 5921 409ae8 18 API calls 5919->5921 5926 4076ac SetEndOfFile 5920->5926 5921->5920 5923 40aa59 5924 4025ac 4 API calls 5923->5924 5925 40aa90 5924->5925 5927 4076c3 5926->5927 5928 4076bc 5926->5928 5927->5923 5929 40748c 35 API calls 5928->5929 5929->5927 6847 402be9 RaiseException 6848 402c04 6847->6848 6515 402af2 6516 402afe 6515->6516 6519 402ed0 6516->6519 6520 403154 4 API calls 6519->6520 6521 402ee0 6520->6521 6522 402b03 6521->6522 6524 402b0c 6521->6524 6525 402b25 6524->6525 6526 402b15 RaiseException 6524->6526 6525->6522 6526->6525 5454 40a5f8 5497 4030dc 5454->5497 5456 40a60e 5500 4042e8 5456->5500 5458 40a613 5503 40457c GetModuleHandleA GetProcAddress 5458->5503 5462 40a61d 5511 4065c8 5462->5511 5464 40a622 5520 4090a4 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5464->5520 5471 40a665 5542 406c2c 5471->5542 5475 4031e8 18 API calls 5476 40a683 5475->5476 5556 4074e0 5476->5556 5482 407918 InterlockedExchange 5484 40a6d2 5482->5484 5483 40a710 5576 4074a0 5483->5576 5484->5483 5613 409ae8 5484->5613 5486 40a751 5580 407a28 5486->5580 5487 40a736 5487->5486 5488 409ae8 18 API calls 5487->5488 5488->5486 5490 40a776 5590 408b08 5490->5590 5494 40a7bc 5495 408b08 35 API calls 5494->5495 5496 40a7f5 5494->5496 5495->5494 5623 403094 5497->5623 5499 4030e1 GetModuleHandleA GetCommandLineA 5499->5456 5501 403154 4 API calls 5500->5501 5502 404323 5500->5502 5501->5502 5502->5458 5504 404598 5503->5504 5505 40459f GetProcAddress 5503->5505 5504->5505 5506 4045b5 GetProcAddress 5505->5506 5507 4045ae 5505->5507 5508 4045c4 SetProcessDEPPolicy 5506->5508 5509 4045c8 5506->5509 5507->5506 5508->5509 5510 404624 6F551CD0 5509->5510 5510->5462 5624 405ca8 5511->5624 5521 4090f7 5520->5521 5708 406fa0 SetErrorMode 5521->5708 5524 407284 19 API calls 5525 409127 5524->5525 5526 403198 4 API calls 5525->5526 5527 40913c 5526->5527 5528 409b78 GetSystemInfo VirtualQuery 5527->5528 5529 409ba2 5528->5529 5530 409c2c 5528->5530 5529->5530 5531 409c0d VirtualQuery 5529->5531 5532 409bcc VirtualProtect 5529->5532 5533 409bfb VirtualProtect 5529->5533 5534 409768 5530->5534 5531->5529 5531->5530 5532->5529 5533->5531 5714 406bd0 GetCommandLineA 5534->5714 5536 409850 5537 4031b8 4 API calls 5536->5537 5539 40986a 5537->5539 5538 406c2c 20 API calls 5540 409785 5538->5540 5539->5471 5606 409c88 5539->5606 5540->5536 5540->5538 5541 403454 18 API calls 5540->5541 5541->5540 5543 406c53 GetModuleFileNameA 5542->5543 5544 406c77 GetCommandLineA 5542->5544 5545 403278 18 API calls 5543->5545 5552 406c7c 5544->5552 5546 406c75 5545->5546 5550 406ca4 5546->5550 5547 406c81 5548 403198 4 API calls 5547->5548 5551 406c89 5548->5551 5549 406af0 18 API calls 5549->5552 5553 403198 4 API calls 5550->5553 5554 40322c 4 API calls 5551->5554 5552->5547 5552->5549 5552->5551 5555 406cb9 5553->5555 5554->5550 5555->5475 5557 4074ea 5556->5557 5721 407576 5557->5721 5724 407578 5557->5724 5558 407516 5559 40752a 5558->5559 5560 40748c 35 API calls 5558->5560 5563 409c34 FindResourceA 5559->5563 5560->5559 5564 409c49 5563->5564 5565 409c4e SizeofResource 5563->5565 5566 409ae8 18 API calls 5564->5566 5567 409c60 LoadResource 5565->5567 5568 409c5b 5565->5568 5566->5565 5570 409c73 LockResource 5567->5570 5571 409c6e 5567->5571 5569 409ae8 18 API calls 5568->5569 5569->5567 5573 409c84 5570->5573 5574 409c7f 5570->5574 5572 409ae8 18 API calls 5571->5572 5572->5570 5573->5482 5573->5484 5575 409ae8 18 API calls 5574->5575 5575->5573 5577 4074b4 5576->5577 5578 4074c4 5577->5578 5579 4073ec 34 API calls 5577->5579 5578->5487 5579->5578 5581 407a35 5580->5581 5582 405890 18 API calls 5581->5582 5583 407a89 5581->5583 5582->5583 5584 407918 InterlockedExchange 5583->5584 5585 407a9b 5584->5585 5586 405890 18 API calls 5585->5586 5587 407ab1 5585->5587 5586->5587 5588 405890 18 API calls 5587->5588 5589 407af4 5587->5589 5588->5589 5589->5490 5592 408b39 5590->5592 5597 408b82 5590->5597 5591 408bcd 5727 407cb8 5591->5727 5595 4034f0 18 API calls 5592->5595 5592->5597 5600 403420 18 API calls 5592->5600 5601 4031e8 18 API calls 5592->5601 5605 407cb8 35 API calls 5592->5605 5594 407cb8 35 API calls 5594->5597 5595->5592 5596 408be4 5599 4031b8 4 API calls 5596->5599 5597->5591 5597->5594 5598 4034f0 18 API calls 5597->5598 5603 403420 18 API calls 5597->5603 5604 4031e8 18 API calls 5597->5604 5598->5597 5602 408bfe 5599->5602 5600->5592 5601->5592 5620 404c20 5602->5620 5603->5597 5604->5597 5605->5592 5607 40322c 4 API calls 5606->5607 5608 409cab 5607->5608 5609 409cba MessageBoxA 5608->5609 5610 409ccf 5609->5610 5611 403198 4 API calls 5610->5611 5612 409cd7 5611->5612 5612->5471 5614 409af1 5613->5614 5615 409b09 5613->5615 5617 405890 18 API calls 5614->5617 5616 405890 18 API calls 5615->5616 5618 409b1a 5616->5618 5619 409b03 5617->5619 5618->5483 5619->5483 5749 402594 5620->5749 5622 404c2b 5622->5494 5623->5499 5625 405940 19 API calls 5624->5625 5626 405cb9 5625->5626 5627 405280 GetSystemDefaultLCID 5626->5627 5631 4052b6 5627->5631 5628 404cdc 19 API calls 5628->5631 5629 40520c 19 API calls 5629->5631 5630 4031e8 18 API calls 5630->5631 5631->5628 5631->5629 5631->5630 5635 405318 5631->5635 5632 404cdc 19 API calls 5632->5635 5633 40520c 19 API calls 5633->5635 5634 4031e8 18 API calls 5634->5635 5635->5632 5635->5633 5635->5634 5636 40539b 5635->5636 5637 4031b8 4 API calls 5636->5637 5638 4053b5 5637->5638 5639 4053c4 GetSystemDefaultLCID 5638->5639 5696 40520c GetLocaleInfoA 5639->5696 5642 4031e8 18 API calls 5643 405404 5642->5643 5644 40520c 19 API calls 5643->5644 5645 405419 5644->5645 5646 40520c 19 API calls 5645->5646 5647 40543d 5646->5647 5702 405258 GetLocaleInfoA 5647->5702 5650 405258 GetLocaleInfoA 5651 40546d 5650->5651 5652 40520c 19 API calls 5651->5652 5653 405487 5652->5653 5654 405258 GetLocaleInfoA 5653->5654 5655 4054a4 5654->5655 5656 40520c 19 API calls 5655->5656 5657 4054be 5656->5657 5658 4031e8 18 API calls 5657->5658 5659 4054cb 5658->5659 5660 40520c 19 API calls 5659->5660 5661 4054e0 5660->5661 5662 4031e8 18 API calls 5661->5662 5663 4054ed 5662->5663 5664 405258 GetLocaleInfoA 5663->5664 5665 4054fb 5664->5665 5666 40520c 19 API calls 5665->5666 5667 405515 5666->5667 5668 4031e8 18 API calls 5667->5668 5669 405522 5668->5669 5670 40520c 19 API calls 5669->5670 5671 405537 5670->5671 5672 4031e8 18 API calls 5671->5672 5673 405544 5672->5673 5674 40520c 19 API calls 5673->5674 5675 405559 5674->5675 5676 405576 5675->5676 5677 405567 5675->5677 5679 40322c 4 API calls 5676->5679 5704 40322c 5677->5704 5680 405574 5679->5680 5681 40520c 19 API calls 5680->5681 5682 405598 5681->5682 5683 4055b5 5682->5683 5684 4055a6 5682->5684 5686 403198 4 API calls 5683->5686 5685 40322c 4 API calls 5684->5685 5687 4055b3 5685->5687 5686->5687 5688 4033b4 18 API calls 5687->5688 5689 4055d7 5688->5689 5690 4033b4 18 API calls 5689->5690 5691 4055f1 5690->5691 5692 4031b8 4 API calls 5691->5692 5693 40560b 5692->5693 5694 405cf4 GetVersionExA 5693->5694 5695 405d0b 5694->5695 5695->5464 5697 405233 5696->5697 5698 405245 5696->5698 5699 403278 18 API calls 5697->5699 5700 40322c 4 API calls 5698->5700 5701 405243 5699->5701 5700->5701 5701->5642 5703 405274 5702->5703 5703->5650 5706 403230 5704->5706 5705 403252 5705->5680 5706->5705 5707 4025ac 4 API calls 5706->5707 5707->5705 5712 403414 5708->5712 5711 406fee 5711->5524 5713 403418 LoadLibraryA 5712->5713 5713->5711 5715 406af0 18 API calls 5714->5715 5716 406bf3 5715->5716 5717 406af0 18 API calls 5716->5717 5718 406c05 5716->5718 5717->5716 5719 403198 4 API calls 5718->5719 5720 406c1a 5719->5720 5720->5540 5722 407578 5721->5722 5723 4075b7 CreateFileA 5722->5723 5723->5558 5725 403414 5724->5725 5726 4075b7 CreateFileA 5725->5726 5726->5558 5728 407cd3 5727->5728 5732 407cc8 5727->5732 5733 407c5c 5728->5733 5731 405890 18 API calls 5731->5732 5732->5596 5734 407c70 5733->5734 5735 407caf 5733->5735 5734->5735 5737 407bac 5734->5737 5735->5731 5735->5732 5738 407bb7 5737->5738 5739 407bc8 5737->5739 5740 405890 18 API calls 5738->5740 5741 4074a0 34 API calls 5739->5741 5740->5739 5742 407bdc 5741->5742 5743 4074a0 34 API calls 5742->5743 5744 407bfd 5743->5744 5745 407918 InterlockedExchange 5744->5745 5746 407c12 5745->5746 5747 407c28 5746->5747 5748 405890 18 API calls 5746->5748 5747->5734 5748->5747 5750 402598 5749->5750 5752 4025a2 5749->5752 5755 401fd4 5750->5755 5751 40259e 5751->5752 5753 403154 4 API calls 5751->5753 5752->5622 5752->5752 5753->5752 5756 401fe8 5755->5756 5757 401fed 5755->5757 5766 401918 RtlInitializeCriticalSection 5756->5766 5759 402012 RtlEnterCriticalSection 5757->5759 5760 40201c 5757->5760 5763 401ff1 5757->5763 5759->5760 5760->5763 5773 401ee0 5760->5773 5763->5751 5764 402147 5764->5751 5765 40213d RtlLeaveCriticalSection 5765->5764 5767 401946 5766->5767 5768 40193c RtlEnterCriticalSection 5766->5768 5769 401964 LocalAlloc 5767->5769 5768->5767 5770 40197e 5769->5770 5771 4019c3 RtlLeaveCriticalSection 5770->5771 5772 4019cd 5770->5772 5771->5772 5772->5757 5776 401ef0 5773->5776 5774 401f1c 5778 401f40 5774->5778 5784 401d00 5774->5784 5776->5774 5776->5778 5779 401e58 5776->5779 5778->5764 5778->5765 5788 4016d8 5779->5788 5782 401e75 5782->5776 5785 401d4e 5784->5785 5786 401d1e 5784->5786 5785->5786 5857 401c68 5785->5857 5786->5778 5791 4016f4 5788->5791 5790 4016fe 5813 4015c4 5790->5813 5791->5790 5795 40174f 5791->5795 5797 40175b 5791->5797 5805 401430 5791->5805 5817 40132c 5791->5817 5794 40170a 5794->5797 5821 40150c 5795->5821 5797->5782 5798 401dcc 5797->5798 5831 401d80 5798->5831 5801 40132c LocalAlloc 5802 401df0 5801->5802 5803 401df8 5802->5803 5835 401b44 5802->5835 5803->5782 5806 40143f VirtualAlloc 5805->5806 5808 40146c 5806->5808 5809 40148f 5806->5809 5825 4012e4 5808->5825 5809->5791 5812 40147c VirtualFree 5812->5809 5815 40160a 5813->5815 5814 40163a 5814->5794 5815->5814 5816 401626 VirtualAlloc 5815->5816 5816->5814 5816->5815 5818 401348 5817->5818 5819 4012e4 LocalAlloc 5818->5819 5820 40138f 5819->5820 5820->5791 5824 40153b 5821->5824 5822 401594 5822->5797 5823 401568 VirtualFree 5823->5824 5824->5822 5824->5823 5828 40128c 5825->5828 5829 401298 LocalAlloc 5828->5829 5830 4012aa 5828->5830 5829->5830 5830->5809 5830->5812 5832 401d92 5831->5832 5833 401d89 5831->5833 5832->5801 5833->5832 5840 401b74 5833->5840 5836 401b61 5835->5836 5837 401b52 5835->5837 5836->5803 5838 401d00 9 API calls 5837->5838 5839 401b5f 5838->5839 5839->5803 5843 40215c 5840->5843 5842 401b95 5842->5832 5844 40217a 5843->5844 5845 402175 5843->5845 5847 4021ab RtlEnterCriticalSection 5844->5847 5849 4021b5 5844->5849 5851 40217e 5844->5851 5846 401918 4 API calls 5845->5846 5846->5844 5847->5849 5848 4021c1 5852 4022e3 RtlLeaveCriticalSection 5848->5852 5853 4022ed 5848->5853 5849->5848 5850 402244 5849->5850 5855 402270 5849->5855 5850->5851 5854 401d80 7 API calls 5850->5854 5851->5842 5852->5853 5853->5842 5854->5851 5855->5848 5856 401d00 7 API calls 5855->5856 5856->5848 5858 401c7a 5857->5858 5859 401c9d 5858->5859 5860 401caf 5858->5860 5870 40188c 5859->5870 5862 40188c 3 API calls 5860->5862 5863 401cad 5862->5863 5864 401b44 9 API calls 5863->5864 5869 401cc5 5863->5869 5865 401cd4 5864->5865 5866 401cee 5865->5866 5880 401b98 5865->5880 5885 4013a0 5866->5885 5869->5786 5871 4018b2 5870->5871 5879 40190b 5870->5879 5889 401658 5871->5889 5874 40132c LocalAlloc 5875 4018cf 5874->5875 5876 4018e6 5875->5876 5877 40150c VirtualFree 5875->5877 5878 4013a0 LocalAlloc 5876->5878 5876->5879 5877->5876 5878->5879 5879->5863 5881 401b9d 5880->5881 5882 401bab 5880->5882 5883 401b74 9 API calls 5881->5883 5882->5866 5884 401baa 5883->5884 5884->5866 5886 4013ab 5885->5886 5887 4012e4 LocalAlloc 5886->5887 5888 4013c6 5886->5888 5887->5888 5888->5869 5891 40168f 5889->5891 5890 4016cf 5890->5874 5891->5890 5892 4016a9 VirtualFree 5891->5892 5892->5891 6849 402dfa 6850 402e26 6849->6850 6851 402e0d 6849->6851 6853 402ba4 6851->6853 6854 402bc9 6853->6854 6855 402bad 6853->6855 6854->6850 6856 402bb5 RaiseException 6855->6856 6856->6854 6857 4075fa GetFileSize 6858 407626 6857->6858 6859 407616 GetLastError 6857->6859 6859->6858 6860 40761f 6859->6860 6861 40748c 35 API calls 6860->6861 6861->6858 6862 406ffb 6863 407008 SetErrorMode 6862->6863 6531 403a80 CloseHandle 6532 403a90 6531->6532 6533 403a91 GetLastError 6531->6533 6534 404283 6535 4042c3 6534->6535 6536 403154 4 API calls 6535->6536 6537 404323 6536->6537 6864 404185 6865 4041ff 6864->6865 6866 403154 4 API calls 6865->6866 6867 4041cc 6865->6867 6868 404323 6866->6868 6538 403e87 6539 403e4c 6538->6539 6540 403e62 6539->6540 6541 403e7b 6539->6541 6542 403e67 6539->6542 6547 403cc8 6540->6547 6543 402674 4 API calls 6541->6543 6545 403e78 6542->6545 6551 402674 6542->6551 6543->6545 6548 403cd6 6547->6548 6549 402674 4 API calls 6548->6549 6550 403ceb 6548->6550 6549->6550 6550->6542 6552 403154 4 API calls 6551->6552 6553 40267a 6552->6553 6553->6545 6562 407e90 6563 407eb8 VirtualFree 6562->6563 6564 407e9d 6563->6564 6567 403e95 6568 403e4c 6567->6568 6569 403e62 6568->6569 6570 403e7b 6568->6570 6571 403e67 6568->6571 6573 403cc8 4 API calls 6569->6573 6572 402674 4 API calls 6570->6572 6574 403e78 6571->6574 6575 402674 4 API calls 6571->6575 6572->6574 6573->6571 6575->6574 6576 40ac97 6585 4096fc 6576->6585 6579 402f24 5 API calls 6580 40aca1 6579->6580 6581 403198 4 API calls 6580->6581 6582 40acc0 6581->6582 6583 403198 4 API calls 6582->6583 6584 40acc8 6583->6584 6594 4056ac 6585->6594 6587 409745 6591 403198 4 API calls 6587->6591 6588 409717 6588->6587 6600 40720c 6588->6600 6590 409735 6593 40973d MessageBoxA 6590->6593 6592 40975a 6591->6592 6592->6579 6592->6580 6593->6587 6595 403154 4 API calls 6594->6595 6596 4056b1 6595->6596 6597 4056c9 6596->6597 6598 403154 4 API calls 6596->6598 6597->6588 6599 4056bf 6598->6599 6599->6588 6601 4056ac 4 API calls 6600->6601 6602 40721b 6601->6602 6603 407221 6602->6603 6604 40722f 6602->6604 6605 40322c 4 API calls 6603->6605 6607 40724b 6604->6607 6608 40723f 6604->6608 6606 40722d 6605->6606 6606->6590 6618 4032b8 6607->6618 6611 4071d0 6608->6611 6612 40322c 4 API calls 6611->6612 6613 4071df 6612->6613 6614 4071fc 6613->6614 6615 406950 CharPrevA 6613->6615 6614->6606 6616 4071eb 6615->6616 6616->6614 6617 4032fc 18 API calls 6616->6617 6617->6614 6619 403278 18 API calls 6618->6619 6620 4032c2 6619->6620 6620->6606 6621 403a97 6622 403aac 6621->6622 6623 403bbc GetStdHandle 6622->6623 6624 403b0e CreateFileA 6622->6624 6625 403ab2 6622->6625 6626 403c17 GetLastError 6623->6626 6638 403bba 6623->6638 6624->6626 6627 403b2c 6624->6627 6626->6625 6629 403b3b GetFileSize 6627->6629 6627->6638 6629->6626 6631 403b4e SetFilePointer 6629->6631 6630 403be7 GetFileType 6630->6625 6633 403c02 CloseHandle 6630->6633 6631->6626 6634 403b6a ReadFile 6631->6634 6633->6625 6634->6626 6635 403b8c 6634->6635 6636 403b9f SetFilePointer 6635->6636 6635->6638 6636->6626 6637 403bb0 SetEndOfFile 6636->6637 6637->6626 6637->6638 6638->6625 6638->6630 6643 40aaa2 6644 40aad2 6643->6644 6645 40aadc CreateWindowExA SetWindowLongA 6644->6645 6646 405194 33 API calls 6645->6646 6647 40ab5f 6646->6647 6648 4032fc 18 API calls 6647->6648 6649 40ab6d 6648->6649 6650 4032fc 18 API calls 6649->6650 6651 40ab7a 6650->6651 6652 406b7c 19 API calls 6651->6652 6653 40ab86 6652->6653 6654 4032fc 18 API calls 6653->6654 6655 40ab8f 6654->6655 6656 4099ec 43 API calls 6655->6656 6657 40aba1 6656->6657 6658 4098cc 19 API calls 6657->6658 6659 40abb4 6657->6659 6658->6659 6660 40abed 6659->6660 6661 4094d8 9 API calls 6659->6661 6662 40ac06 6660->6662 6665 40ac00 RemoveDirectoryA 6660->6665 6661->6660 6663 40ac1a 6662->6663 6664 40ac0f DestroyWindow 6662->6664 6666 40ac42 6663->6666 6667 40357c 4 API calls 6663->6667 6664->6663 6665->6662 6668 40ac38 6667->6668 6669 4025ac 4 API calls 6668->6669 6669->6666 6881 405ba2 6883 405ba4 6881->6883 6882 405be0 6886 405940 19 API calls 6882->6886 6883->6882 6884 405bf7 6883->6884 6885 405bda 6883->6885 6889 404cdc 19 API calls 6884->6889 6885->6882 6887 405c4c 6885->6887 6894 405bf3 6886->6894 6888 4059b0 33 API calls 6887->6888 6888->6894 6891 405c20 6889->6891 6890 403198 4 API calls 6892 405c86 6890->6892 6893 4059b0 33 API calls 6891->6893 6893->6894 6894->6890 6895 408da4 6896 408dc8 6895->6896 6897 408c80 18 API calls 6896->6897 6898 408dd1 6897->6898 6670 402caa 6671 403154 4 API calls 6670->6671 6672 402caf 6671->6672 6913 4011aa 6914 4011ac GetStdHandle 6913->6914 6673 4028ac 6674 402594 18 API calls 6673->6674 6675 4028b6 6674->6675 4985 40aab4 4986 40aab8 SetLastError 4985->4986 5017 409648 GetLastError 4986->5017 4989 40aad2 4991 40aadc CreateWindowExA SetWindowLongA 4989->4991 5030 405194 4991->5030 4995 40ab6d 4996 4032fc 18 API calls 4995->4996 4997 40ab7a 4996->4997 5047 406b7c GetCommandLineA 4997->5047 5000 4032fc 18 API calls 5001 40ab8f 5000->5001 5052 4099ec 5001->5052 5003 40aba1 5005 40abb4 5003->5005 5073 4098cc 5003->5073 5006 40abd4 5005->5006 5007 40abed 5005->5007 5079 4094d8 5006->5079 5009 40ac06 5007->5009 5012 40ac00 RemoveDirectoryA 5007->5012 5010 40ac1a 5009->5010 5011 40ac0f DestroyWindow 5009->5011 5013 40ac42 5010->5013 5087 40357c 5010->5087 5011->5010 5012->5009 5015 40ac38 5100 4025ac 5015->5100 5104 404c94 5017->5104 5025 4096c3 5119 4031b8 5025->5119 5031 4051a8 33 API calls 5030->5031 5032 4051a3 5031->5032 5033 4032fc 5032->5033 5034 403300 5033->5034 5035 40333f 5033->5035 5036 4031e8 5034->5036 5037 40330a 5034->5037 5035->4995 5044 403254 18 API calls 5036->5044 5045 4031fc 5036->5045 5038 403334 5037->5038 5039 40331d 5037->5039 5041 4034f0 18 API calls 5038->5041 5280 4034f0 5039->5280 5043 403322 5041->5043 5042 403228 5042->4995 5043->4995 5044->5045 5045->5042 5046 4025ac 4 API calls 5045->5046 5046->5042 5306 406af0 5047->5306 5049 406ba1 5050 403198 4 API calls 5049->5050 5051 406bbf 5050->5051 5051->5000 5320 4033b4 5052->5320 5054 409a27 5055 409a59 CreateProcessA 5054->5055 5056 409a65 5055->5056 5057 409a6c CloseHandle 5055->5057 5058 409648 35 API calls 5056->5058 5059 409a75 5057->5059 5058->5057 5060 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5059->5060 5061 409a7a MsgWaitForMultipleObjects 5060->5061 5061->5059 5062 409a91 5061->5062 5063 4099c0 TranslateMessage DispatchMessageA PeekMessageA 5062->5063 5064 409a96 GetExitCodeProcess CloseHandle 5063->5064 5065 409ab6 5064->5065 5066 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5065->5066 5067 409abe 5066->5067 5067->5003 5068 402f24 5069 403154 4 API calls 5068->5069 5070 402f29 5069->5070 5326 402bcc 5070->5326 5072 402f51 5072->5072 5074 40990e 5073->5074 5075 4098d4 5073->5075 5074->5005 5075->5074 5076 403420 18 API calls 5075->5076 5077 409908 5076->5077 5329 408e80 5077->5329 5080 409532 5079->5080 5084 4094eb 5079->5084 5080->5007 5081 4094f3 Sleep 5081->5084 5082 409503 Sleep 5082->5084 5084->5080 5084->5081 5084->5082 5085 40951a GetLastError 5084->5085 5352 408fbc 5084->5352 5085->5080 5086 409524 GetLastError 5085->5086 5086->5080 5086->5084 5088 403591 5087->5088 5089 4035a0 5087->5089 5092 4035d0 5088->5092 5093 40359b 5088->5093 5097 4035b6 5088->5097 5090 4035b1 5089->5090 5091 4035b8 5089->5091 5094 403198 4 API calls 5090->5094 5095 4031b8 4 API calls 5091->5095 5092->5097 5098 40357c 4 API calls 5092->5098 5093->5089 5096 4035ec 5093->5096 5094->5097 5095->5097 5096->5097 5369 403554 5096->5369 5097->5015 5098->5092 5101 4025b0 5100->5101 5102 4025ba 5100->5102 5101->5102 5103 403154 4 API calls 5101->5103 5102->5013 5103->5102 5127 4051a8 5104->5127 5107 407284 FormatMessageA 5108 4072aa 5107->5108 5109 403278 18 API calls 5108->5109 5110 4072c7 5109->5110 5111 408da8 5110->5111 5112 408dc8 5111->5112 5270 408c80 5112->5270 5115 405890 5116 405897 5115->5116 5117 4031e8 18 API calls 5116->5117 5118 4058af 5117->5118 5118->5025 5121 4031be 5119->5121 5120 4031e3 5123 403198 5120->5123 5121->5120 5122 4025ac 4 API calls 5121->5122 5122->5121 5124 4031b7 5123->5124 5125 40319e 5123->5125 5124->4989 5124->5068 5125->5124 5126 4025ac 4 API calls 5125->5126 5126->5124 5128 4051c5 5127->5128 5135 404e58 5128->5135 5131 4051f1 5140 403278 5131->5140 5137 404e73 5135->5137 5136 404e85 5136->5131 5145 404be4 5136->5145 5137->5136 5148 404f7a 5137->5148 5155 404e4c 5137->5155 5141 403254 18 API calls 5140->5141 5142 403288 5141->5142 5143 403198 4 API calls 5142->5143 5144 4032a0 5143->5144 5144->5107 5262 405940 5145->5262 5147 404bf5 5147->5131 5149 404f8b 5148->5149 5154 404fd9 5148->5154 5152 40505f 5149->5152 5149->5154 5151 404ff7 5151->5137 5152->5151 5162 404e38 5152->5162 5154->5151 5158 404df4 5154->5158 5156 403198 4 API calls 5155->5156 5157 404e56 5156->5157 5157->5137 5159 404e02 5158->5159 5165 404bfc 5159->5165 5161 404e30 5161->5154 5192 4039a4 5162->5192 5168 4059b0 5165->5168 5167 404c15 5167->5161 5169 4059be 5168->5169 5178 404cdc LoadStringA 5169->5178 5172 405194 33 API calls 5173 4059f6 5172->5173 5181 4031e8 5173->5181 5176 4031b8 4 API calls 5177 405a1b 5176->5177 5177->5167 5179 403278 18 API calls 5178->5179 5180 404d09 5179->5180 5180->5172 5182 4031ec 5181->5182 5185 4031fc 5181->5185 5182->5185 5187 403254 5182->5187 5183 403228 5183->5176 5185->5183 5186 4025ac 4 API calls 5185->5186 5186->5183 5188 403274 5187->5188 5189 403258 5187->5189 5188->5185 5190 402594 18 API calls 5189->5190 5191 403261 5190->5191 5191->5185 5193 4039ab 5192->5193 5198 4038b4 5193->5198 5195 4039cb 5196 403198 4 API calls 5195->5196 5197 4039d2 5196->5197 5197->5151 5199 4038d5 5198->5199 5200 4038c8 5198->5200 5202 403934 5199->5202 5203 4038db 5199->5203 5226 403780 5200->5226 5204 403993 5202->5204 5205 40393b 5202->5205 5206 4038e1 5203->5206 5207 4038ee 5203->5207 5210 4037f4 3 API calls 5204->5210 5211 403941 5205->5211 5212 40394b 5205->5212 5233 403894 5206->5233 5209 403894 6 API calls 5207->5209 5215 4038fc 5209->5215 5213 4038d0 5210->5213 5248 403864 5211->5248 5214 4037f4 3 API calls 5212->5214 5213->5195 5217 40395d 5214->5217 5238 4037f4 5215->5238 5219 403864 23 API calls 5217->5219 5221 403976 5219->5221 5220 403917 5244 40374c 5220->5244 5223 40374c VariantClear 5221->5223 5225 40398b 5223->5225 5224 40392c 5224->5195 5225->5195 5227 4037f0 5226->5227 5228 403744 5226->5228 5227->5213 5228->5226 5229 4037ab 5228->5229 5230 403793 VariantClear 5228->5230 5231 4037dc VariantCopyInd 5228->5231 5232 403198 4 API calls 5228->5232 5229->5213 5230->5228 5231->5227 5231->5228 5232->5228 5253 4036b8 5233->5253 5236 40374c VariantClear 5237 4038a9 5236->5237 5237->5213 5239 403845 VariantChangeTypeEx 5238->5239 5240 40380a VariantChangeTypeEx 5238->5240 5242 403832 5239->5242 5241 403826 5240->5241 5243 40374c VariantClear 5241->5243 5242->5220 5243->5242 5245 403766 5244->5245 5246 403759 5244->5246 5245->5224 5246->5245 5247 403779 VariantClear 5246->5247 5247->5224 5259 40369c SysStringLen 5248->5259 5251 40374c VariantClear 5252 403882 5251->5252 5252->5213 5254 4036cb 5253->5254 5255 403706 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5254->5255 5256 4036db 5254->5256 5257 40372e 5255->5257 5258 4036ed MultiByteToWideChar SysAllocStringLen 5256->5258 5257->5236 5258->5257 5260 403610 21 API calls 5259->5260 5261 4036b3 5260->5261 5261->5251 5263 40594c 5262->5263 5264 404cdc 19 API calls 5263->5264 5265 405972 5264->5265 5266 4031e8 18 API calls 5265->5266 5267 40597d 5266->5267 5268 403198 4 API calls 5267->5268 5269 405992 5268->5269 5269->5147 5271 403198 4 API calls 5270->5271 5273 408cb1 5270->5273 5271->5273 5272 4031b8 4 API calls 5274 408d69 5272->5274 5275 408cc8 5273->5275 5276 403278 18 API calls 5273->5276 5278 4032fc 18 API calls 5273->5278 5279 408cdc 5273->5279 5274->5115 5277 4032fc 18 API calls 5275->5277 5276->5273 5277->5279 5278->5273 5279->5272 5281 4034fd 5280->5281 5288 40352d 5280->5288 5282 403526 5281->5282 5284 403509 5281->5284 5285 403254 18 API calls 5282->5285 5283 403198 4 API calls 5286 403517 5283->5286 5289 4025c4 5284->5289 5285->5288 5286->5043 5288->5283 5290 4025ca 5289->5290 5291 4025dc 5290->5291 5293 403154 5290->5293 5291->5286 5291->5291 5294 403164 5293->5294 5295 40318c TlsGetValue 5293->5295 5294->5291 5296 403196 5295->5296 5297 40316f 5295->5297 5296->5291 5301 40310c 5297->5301 5299 403174 TlsGetValue 5300 403184 5299->5300 5300->5291 5302 403120 LocalAlloc 5301->5302 5303 403116 5301->5303 5304 403132 5302->5304 5305 40313e TlsSetValue 5302->5305 5303->5302 5304->5299 5305->5304 5307 406b1c 5306->5307 5308 403278 18 API calls 5307->5308 5309 406b29 5308->5309 5316 403420 5309->5316 5311 406b31 5312 4031e8 18 API calls 5311->5312 5313 406b49 5312->5313 5314 403198 4 API calls 5313->5314 5315 406b6b 5314->5315 5315->5049 5317 403426 5316->5317 5319 403437 5316->5319 5318 403254 18 API calls 5317->5318 5317->5319 5318->5319 5319->5311 5321 4033bc 5320->5321 5322 403254 18 API calls 5321->5322 5323 4033cf 5322->5323 5324 4031e8 18 API calls 5323->5324 5325 4033f7 5324->5325 5327 402bd5 RaiseException 5326->5327 5328 402be6 5326->5328 5327->5328 5328->5072 5330 408e8e 5329->5330 5332 408ea6 5330->5332 5342 408e18 5330->5342 5333 408e18 18 API calls 5332->5333 5334 408eca 5332->5334 5333->5334 5345 407918 5334->5345 5336 408ee5 5337 408e18 18 API calls 5336->5337 5338 408ef8 5336->5338 5337->5338 5339 408e18 18 API calls 5338->5339 5340 403278 18 API calls 5338->5340 5341 408f27 5338->5341 5339->5338 5340->5338 5341->5074 5343 405890 18 API calls 5342->5343 5344 408e29 5343->5344 5344->5332 5348 4078c4 5345->5348 5349 4078d6 5348->5349 5350 4078e7 5348->5350 5351 4078db InterlockedExchange 5349->5351 5350->5336 5351->5350 5360 408f70 5352->5360 5354 408fd6 5354->5084 5355 408fd2 5355->5354 5356 408ff2 DeleteFileA GetLastError 5355->5356 5357 409010 5356->5357 5366 408fac 5357->5366 5361 408f7a 5360->5361 5362 408f7e 5360->5362 5361->5355 5363 408fa0 SetLastError 5362->5363 5364 408f87 Wow64DisableWow64FsRedirection 5362->5364 5365 408f9b 5363->5365 5364->5365 5365->5355 5367 408fb1 Wow64RevertWow64FsRedirection 5366->5367 5368 408fbb 5366->5368 5367->5368 5368->5084 5370 403566 5369->5370 5372 403578 5370->5372 5373 403604 5370->5373 5372->5096 5374 40357c 5373->5374 5377 40359b 5374->5377 5380 4035d0 5374->5380 5381 4035a0 5374->5381 5383 4035b6 5374->5383 5375 4035b1 5378 403198 4 API calls 5375->5378 5376 4035b8 5379 4031b8 4 API calls 5376->5379 5377->5381 5382 4035ec 5377->5382 5378->5383 5379->5383 5380->5383 5384 40357c 4 API calls 5380->5384 5381->5375 5381->5376 5382->5383 5385 403554 4 API calls 5382->5385 5383->5370 5384->5380 5385->5382 6676 401ab9 6677 401a96 6676->6677 6678 401aa9 RtlDeleteCriticalSection 6677->6678 6679 401a9f RtlLeaveCriticalSection 6677->6679 6679->6678

                                                                                                            Executed Functions

                                                                                                            Function 00409B78 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 116 409b78-409b9c GetSystemInfo VirtualQuery 117 409ba2 116->117 118 409c2c-409c33 116->118 119 409c21-409c26 117->119 119->118 120 409ba4-409bab 119->120 121 409c0d-409c1f VirtualQuery 120->121 122 409bad-409bb1 120->122 121->118 121->119 122->121 123 409bb3-409bbb 122->123 124 409bcc-409bdd VirtualProtect 123->124 125 409bbd-409bc0 123->125 127 409be1-409be3 124->127 128 409bdf 124->128 125->124 126 409bc2-409bc5 125->126 126->124 129 409bc7-409bca 126->129 130 409bf2-409bf5 127->130 128->127 129->124 129->127 131 409be5-409bee call 409b70 130->131 132 409bf7-409bf9 130->132 131->130 132->121 134 409bfb-409c08 VirtualProtect 132->134 134->121
                                                                                                            APIs
                                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00409B8A
                                                                                                            • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B95
                                                                                                            • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BD6
                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409C08
                                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409C18
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 2441996862-0
                                                                                                            • Opcode ID: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                                            • Instruction ID: 4a1d84bb43d4a47cf168f169447d483ed62c711ee8ccb48f5bfbfd053dbeaed9
                                                                                                            • Opcode Fuzzy Hash: 69cc1b0b9b744b29044eea84e4744ba7a66f7205e02ae19cc0529fdcfa929845
                                                                                                            • Instruction Fuzzy Hash: D421A1B16043006BDA309AA99C85E57B7E8AF45360F144C2BFA99E72C3D239FC40C669
                                                                                                            Function 0040520C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID:
                                                                                                            • API String ID: 2299586839-0
                                                                                                            • Opcode ID: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                            • Instruction ID: 1248db9972fbf410c55bf070b604c98f5d62b90992f8f49b6b6440a9954d2c50
                                                                                                            • Opcode Fuzzy Hash: 08facca5f8c818d7ae0117448837c5e97f15c9e55cb3aedc2694e0bc5091a832
                                                                                                            • Instruction Fuzzy Hash: E2E0927170021427D710A9A99C86AEB725CEB58310F0002BFB904E73C6EDB49E804AED
                                                                                                            Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040A618), ref: 00404582
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
                                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,0040A618), ref: 004045C6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                            • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                            • API String ID: 3256987805-3653653586
                                                                                                            • Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                            • Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
                                                                                                            • Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
                                                                                                            • Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E
                                                                                                            Function 0040AAB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 109COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • SetLastError.KERNEL32 ref: 0040AAC1
                                                                                                              • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020B24B0), ref: 0040966C
                                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                                            • SetWindowLongA.USER32(0001041E,000000FC,00409960), ref: 0040AB15
                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                                            • DestroyWindow.USER32(0001041E,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ErrorLast$CreateDestroyDirectoryLongRemove
                                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                            • API String ID: 3757039580-3001827809
                                                                                                            • Opcode ID: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                                            • Instruction ID: 81987b3bab642c92fe87a7372e0454594c4b8fe140ce311e0f93b1eeebf6ab37
                                                                                                            • Opcode Fuzzy Hash: 7bc9c0c8e9dfd2478b94306391eafe1fb51b7566d8199cdbb2b2653dcbc3d95c
                                                                                                            • Instruction Fuzzy Hash: 25412E70604204DBDB10EBA9EE89B9E37A5EB44304F10467FF510B72E2D7B89855CB9D
                                                                                                            Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090C4
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,0040A62C), ref: 004090DE
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                            • API String ID: 1646373207-2130885113
                                                                                                            • Opcode ID: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                                            • Instruction ID: 214dda5481ef482ebe311b1329301f35405b1013d97e3062c17ffb2c8286d57d
                                                                                                            • Opcode Fuzzy Hash: 0414f1d66f28dc470df4633e5994336701384173b3f6f66b470f3ad827f759f7
                                                                                                            • Instruction Fuzzy Hash: 21017C70748342AEFB00BB76DD4AB163A68E785704F60457BF640BA2D3DABD4C04D66E
                                                                                                            Function 0040AAA2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AAFE
                                                                                                            • SetWindowLongA.USER32(0001041E,000000FC,00409960), ref: 0040AB15
                                                                                                              • Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040AB86,?), ref: 00406B94
                                                                                                              • Part of subcall function 004099EC: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020B24B0,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                                              • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020B24B0,00409AD8,00000000), ref: 00409A70
                                                                                                              • Part of subcall function 004099EC: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                                              • Part of subcall function 004099EC: GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                                              • Part of subcall function 004099EC: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020B24B0,00409AD8), ref: 00409AA4
                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC01
                                                                                                            • DestroyWindow.USER32(0001041E,0040AC54,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040AC15
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                            • API String ID: 3586484885-3001827809
                                                                                                            • Opcode ID: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                                            • Instruction ID: d3376fcde1141b4290a3dca450fc2844fa47922897975e075ebf06e3b6db64eb
                                                                                                            • Opcode Fuzzy Hash: c367800830601d7b7bb1e4b9cc729c69669d466ec6c890b8506752b9ad64910a
                                                                                                            • Instruction Fuzzy Hash: 77411A71604204DFD714EBA9EE85B5A37B5EB48304F20427BF500BB2E1D7B8A855CB9D
                                                                                                            Function 004099EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020B24B0,00409AD8,00000000,00409ABF), ref: 00409A5C
                                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020B24B0,00409AD8,00000000), ref: 00409A70
                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A89
                                                                                                            • GetExitCodeProcess.KERNEL32(?,0040B244), ref: 00409A9B
                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409AE4,020B24B0,00409AD8), ref: 00409AA4
                                                                                                              • Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B244,?,020B24B0), ref: 0040966C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                                            • String ID: D
                                                                                                            • API String ID: 3356880605-2746444292
                                                                                                            • Opcode ID: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                                            • Instruction ID: b58d0f6e2b8975977e6c7b71aada5392bea55c03070ce9fad3dcef5aa6d4018a
                                                                                                            • Opcode Fuzzy Hash: aadf6f075de5bdb3c28d757ddccd10dd30f6bbfdbbad62eb54c24073370c977f
                                                                                                            • Instruction Fuzzy Hash: EE1142B16402486EDB00EBE6CC42F9EB7ACEF49714F50013BB604F72C6DA785D048A69
                                                                                                            Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 136 401918-40193a RtlInitializeCriticalSection 137 401946-40197c call 4012dc * 3 LocalAlloc 136->137 138 40193c-401941 RtlEnterCriticalSection 136->138 145 4019ad-4019c1 137->145 146 40197e 137->146 138->137 150 4019c3-4019c8 RtlLeaveCriticalSection 145->150 151 4019cd 145->151 147 401983-401995 146->147 147->147 149 401997-4019a6 147->149 149->145 150->151
                                                                                                            APIs
                                                                                                            • RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 730355536-0
                                                                                                            • Opcode ID: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                            • Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
                                                                                                            • Opcode Fuzzy Hash: 38709c719971e1168baf9cdc3c67f999ad3db3ab521e9349fb3b390a12b3c6f3
                                                                                                            • Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D
                                                                                                            Function 0040A814 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117windowCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message
                                                                                                            • String ID: .tmp$y@
                                                                                                            • API String ID: 2030045667-2396523267
                                                                                                            • Opcode ID: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                                            • Instruction ID: 5e9257013af3d55ef2b6e359c41f87f67318ae2a4e6dbf07461b5d8c6de74657
                                                                                                            • Opcode Fuzzy Hash: 55a53fbd7ad7285035f8ab2cde1915fb146aa3dc543cd9b52406218d685c1c98
                                                                                                            • Instruction Fuzzy Hash: 3B41C030704200CFD311EF25DED1A1A77A5EB49304B214A3AF804B73E1CAB9AC11CBAD
                                                                                                            Function 0040A82F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113windowCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040A878
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message
                                                                                                            • String ID: .tmp$y@
                                                                                                            • API String ID: 2030045667-2396523267
                                                                                                            • Opcode ID: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                                            • Instruction ID: 95bba075cf9db07042691c1556ef0613dbe482a65a3614fff4d0ead14828e6f7
                                                                                                            • Opcode Fuzzy Hash: 4e131503fe38447772e4e2294cf5373b7e2007f9fac8d76d0a71823c743fc64d
                                                                                                            • Instruction Fuzzy Hash: E341BE30700200DFC711EF65DED2A1A77A5EB49304B104A3AF804B73E2CAB9AC01CBAD
                                                                                                            Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                            • String ID: .tmp
                                                                                                            • API String ID: 1375471231-2986845003
                                                                                                            • Opcode ID: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                                            • Instruction ID: b240cf9bc22f775501a2d99da134be40bb2f76fb21a7d6e050461713caae6e8b
                                                                                                            • Opcode Fuzzy Hash: 1c7982c9535877cc809d76a2290e1ec991a7408e90ad789d49a53b04ffd62ed2
                                                                                                            • Instruction Fuzzy Hash: 9E216774A00208ABDB05EFA1C8429DFB7B8EF88304F50457BE901B73C2DA3C9E058A65
                                                                                                            Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 342 407749-40774a 343 4076dc-4076e6 WriteFile 342->343 344 40774c-40776f 342->344 346 4076e8-4076ea call 40748c 343->346 347 4076ef-4076f2 343->347 345 407770-407785 344->345 348 407787 345->348 349 4077f9 345->349 346->347 351 407700-407704 347->351 352 4076f4-4076fb call 4073ec 347->352 353 40778a-40778f 348->353 354 4077fd-407802 348->354 355 40783b-40783d 349->355 356 4077fb 349->356 352->351 360 407803-407819 353->360 362 407791-407792 353->362 354->360 358 407841-407843 355->358 356->354 361 40785b-40785c 358->361 360->361 372 40781b 360->372 363 4078d6-4078eb call 407890 InterlockedExchange 361->363 364 40785e-40788c 361->364 365 407724-407741 362->365 366 407794-4077b4 362->366 385 407912-407917 363->385 386 4078ed-407910 363->386 382 407820-407823 364->382 383 407890-407893 364->383 368 407743 365->368 369 4077b5 365->369 366->369 373 407746-407747 368->373 374 4077b9 368->374 377 4077b6-4077b7 369->377 378 4077f7-4077f8 369->378 379 40781e-40781f 372->379 373->342 380 4077bb-4077cd 373->380 374->380 377->374 378->349 379->382 380->358 387 4077cf-4077d4 380->387 384 407898 382->384 388 407824 382->388 383->384 391 40789a 384->391 386->385 386->386 387->355 392 4077d6-4077de 387->392 390 407825 388->390 388->391 393 407896-407897 390->393 394 407826-40782d 390->394 395 40789f 391->395 392->345 404 4077e0 392->404 393->384 397 4078a1 394->397 398 40782f 394->398 395->397 402 4078a3 397->402 403 4078ac 397->403 400 407832-407833 398->400 401 4078a5-4078aa 398->401 400->355 400->379 405 4078ae-4078af 401->405 402->401 403->405 404->378 405->395 406 4078b1-4078bd 405->406 406->384 407 4078bf-4078c0 406->407
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3934441357-0
                                                                                                            • Opcode ID: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                                            • Instruction ID: 20d0a63744b7af467993d3e8aec565234b7be2d060ba20bf9fd199bb98bd5a4e
                                                                                                            • Opcode Fuzzy Hash: 43d3196ec1ce5242573e8f450cfa6a0a1bc6604aabb0088ea34051851cbbaa4a
                                                                                                            • Instruction Fuzzy Hash: 8251D12294D2910FC7126B7849685A53FE0FE5331132E92FBC5C1AB1A3D27CA847D35B
                                                                                                            Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 408 401fd4-401fe6 409 401fe8 call 401918 408->409 410 401ffb-402010 408->410 414 401fed-401fef 409->414 412 402012-402017 RtlEnterCriticalSection 410->412 413 40201c-402025 410->413 412->413 415 402027 413->415 416 40202c-402032 413->416 414->410 419 401ff1-401ff6 414->419 415->416 417 402038-40203c 416->417 418 4020cb-4020d1 416->418 420 402041-402050 417->420 421 40203e 417->421 423 4020d3-4020e0 418->423 424 40211d-40211f call 401ee0 418->424 422 40214f-402158 419->422 420->418 427 402052-402060 420->427 421->420 425 4020e2-4020ea 423->425 426 4020ef-40211b call 402f54 423->426 432 402124-40213b 424->432 425->426 426->422 430 402062-402066 427->430 431 40207c-402080 427->431 434 402068 430->434 435 40206b-40207a 430->435 437 402082 431->437 438 402085-4020a0 431->438 440 402147 432->440 441 40213d-402142 RtlLeaveCriticalSection 432->441 434->435 439 4020a2-4020c6 call 402f54 435->439 437->438 438->439 439->422 441->440
                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00402148), ref: 00402017
                                                                                                              • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                              • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                              • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                              • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 296031713-0
                                                                                                            • Opcode ID: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                            • Instruction ID: b272be6629c35a549fc4f1c5a19e6e0df2414f51bb24a7fd7fb800939d1160d0
                                                                                                            • Opcode Fuzzy Hash: e41243de7c80276a36dcdd2c2c0e451bb1a6f3055e5ddec7aea90b49354f7273
                                                                                                            • Instruction Fuzzy Hash: D4419CB2A40711DFDB108F69DEC562A77A0FB58314B25837AD984B73E1D378A842CB48
                                                                                                            Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 444 406fa0-406ff3 SetErrorMode call 403414 LoadLibraryA
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 00406FAA
                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                                            • String ID:
                                                                                                            • API String ID: 2987862817-0
                                                                                                            • Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                            • Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
                                                                                                            • Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
                                                                                                            • Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568
                                                                                                            Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
                                                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693
                                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020B03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 1156039329-0
                                                                                                            • Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                            • Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
                                                                                                            • Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
                                                                                                            • Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776
                                                                                                            Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 448 40762c-40764a ReadFile 449 407663-40766a 448->449 450 40764c-407650 448->450 451 407652-40765a GetLastError 450->451 452 40765c-40765e call 40748c 450->452 451->449 451->452 452->449
                                                                                                            APIs
                                                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastRead
                                                                                                            • String ID:
                                                                                                            • API String ID: 1948546556-0
                                                                                                            • Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                            • Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
                                                                                                            • Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
                                                                                                            • Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB
                                                                                                            Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
                                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7
                                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020B03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 1156039329-0
                                                                                                            • Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                            • Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
                                                                                                            • Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
                                                                                                            • Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766
                                                                                                            Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Virtual$AllocFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 2087232378-0
                                                                                                            • Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                            • Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
                                                                                                            • Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
                                                                                                            • Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9
                                                                                                            Function 00405280 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,004053B6), ref: 0040529F
                                                                                                              • Part of subcall function 00404CDC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CF9
                                                                                                              • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 1658689577-0
                                                                                                            • Opcode ID: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                            • Instruction ID: b95c725f163960c8622ba1b0af82130980b93a97e76f79286a035b518bc8de08
                                                                                                            • Opcode Fuzzy Hash: ef449c44a2a61a26d18614e24c7ade2666283ce56a0d8fcdc2eeed56ad2c4646
                                                                                                            • Instruction Fuzzy Hash: 90314F75E01509ABCB00DF95C8C19EEB379FF84304F158577E815BB286E739AE068B98
                                                                                                            Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                            • Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
                                                                                                            • Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
                                                                                                            • Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8
                                                                                                            Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                            • Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
                                                                                                            • Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
                                                                                                            • Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8
                                                                                                            Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                            • Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
                                                                                                            • Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
                                                                                                            • Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428
                                                                                                            Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF
                                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020B03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 442123175-0
                                                                                                            • Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                            • Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
                                                                                                            • Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
                                                                                                            • Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676
                                                                                                            Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FormatMessage
                                                                                                            • String ID:
                                                                                                            • API String ID: 1306739567-0
                                                                                                            • Opcode ID: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                            • Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
                                                                                                            • Opcode Fuzzy Hash: 7ef42d69529baecca532a801bf1eab389dc79dba057db81877db687b261eaad4
                                                                                                            • Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F
                                                                                                            Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEndOfFile.KERNEL32(?,020C8000,0040AA59,00000000), ref: 004076B3
                                                                                                              • Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020B03AC,?,0040A69B,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 0040748F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 734332943-0
                                                                                                            • Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                            • Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
                                                                                                            • Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
                                                                                                            • Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666
                                                                                                            Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode
                                                                                                            • String ID:
                                                                                                            • API String ID: 2340568224-0
                                                                                                            • Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                            • Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
                                                                                                            • Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
                                                                                                            • Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519
                                                                                                            Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(?,00407019), ref: 0040700C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode
                                                                                                            • String ID:
                                                                                                            • API String ID: 2340568224-0
                                                                                                            • Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                            • Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
                                                                                                            • Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
                                                                                                            • Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B
                                                                                                            Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CharPrev
                                                                                                            • String ID:
                                                                                                            • API String ID: 122130370-0
                                                                                                            • Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                            • Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
                                                                                                            • Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                            • Instruction ID: 1e7236936b067224bcb0a7c190bcfb18a105a15b1652d3161176e1d0ad605fa4
                                                                                                            • Opcode Fuzzy Hash: 636722d4ca057b68616df378e1b8a5bd7f337355b9f7c137ab23b8dc1cafdb71
                                                                                                            • Instruction Fuzzy Hash: 43116371A042059BDB00EF19C881B5B7794AF44359F05807AF958AB2C6DB38E800CBAA
                                                                                                            Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1263568516-0
                                                                                                            • Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                            • Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
                                                                                                            • Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
                                                                                                            • Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8
                                                                                                            Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                            • Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
                                                                                                            • Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
                                                                                                            • Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D
                                                                                                            Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1263568516-0
                                                                                                            • Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                            • Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
                                                                                                            • Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
                                                                                                            • Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

                                                                                                            Non-executed Functions

                                                                                                            Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 00409457
                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040949D
                                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 004094A2
                                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                            • API String ID: 107509674-3733053543
                                                                                                            • Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                            • Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
                                                                                                            • Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
                                                                                                            • Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F
                                                                                                            Function 00409C34 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409C3E
                                                                                                            • SizeofResource.KERNEL32(00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000,0040ACC9), ref: 00409C51
                                                                                                            • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92,?,00000000), ref: 00409C63
                                                                                                            • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A6B3,00000000,0040AC4A,?,00000001,00000000,00000002,00000000,0040AC92), ref: 00409C74
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                            • String ID:
                                                                                                            • API String ID: 3473537107-0
                                                                                                            • Opcode ID: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                                            • Instruction ID: 5c2a5118689e511edc0a9dde7e1b9e77d0383d271af581b44440e1e73e890ea9
                                                                                                            • Opcode Fuzzy Hash: 66472a43d98f2116202d14454299061058d21427157a3f4f4112e001326967e1
                                                                                                            • Instruction Fuzzy Hash: B0E07E80B8874726FA6576FB08C7B6B008C4BA570EF00003BB700792C3DDBC8C04462E
                                                                                                            Function 00405258 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID:
                                                                                                            • API String ID: 2299586839-0
                                                                                                            • Opcode ID: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                            • Instruction ID: 1db3d1c1bb6fab5f91442dea8a08a829cd161d84d3a7e1f0c2fe21aaaafd944f
                                                                                                            • Opcode Fuzzy Hash: b79b605a6dbd2dbd76dc5df923bc970e8acc9169766131cf64cabc826e101d13
                                                                                                            • Instruction Fuzzy Hash: 9ED02EA230E2006AE210808B2C84EBB4A9CCEC53A0F00007FF648C3242D2208C029B76
                                                                                                            Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: SystemTime
                                                                                                            • String ID:
                                                                                                            • API String ID: 2656138-0
                                                                                                            • Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                            • Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
                                                                                                            • Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
                                                                                                            • Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748
                                                                                                            Function 00405CF4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetVersionExA.KERNEL32(?,004065F0,00000000,004065FE,?,?,?,?,?,0040A622), ref: 00405D02
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Version
                                                                                                            • String ID:
                                                                                                            • API String ID: 1889659487-0
                                                                                                            • Opcode ID: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                            • Instruction ID: 4c33b40dd65743d8d98a5ffd827b1eb297e5dd4f71424004bfe2d5ab9b26ea54
                                                                                                            • Opcode Fuzzy Hash: 804cda8d473c4c61bcc63f12479ba9190822d5c554409fc9a119c77cb0a2aa37
                                                                                                            • Instruction Fuzzy Hash: 00C0126040070186D7109B31DC02B1672D4AB44310F4405396DA4963C2E73C80018A6E
                                                                                                            Function 0040840C Relevance: .5, Instructions: 545COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                                            • Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
                                                                                                            • Opcode Fuzzy Hash: 4d767100099eb102bdc21c19fdb755dbde7929e86d9821f584b3da527505dd0e
                                                                                                            • Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55
                                                                                                            Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 0040704D
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,00409918), ref: 004070A1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                            • API String ID: 4190037839-2401316094
                                                                                                            • Opcode ID: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                            • Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
                                                                                                            • Opcode Fuzzy Hash: 84283e8ecd5f01446eeee6c4ca3ac4597d6d061694d9d4138b3ca6e7d0b19e25
                                                                                                            • Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E
                                                                                                            Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                            • String ID:
                                                                                                            • API String ID: 1694776339-0
                                                                                                            • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                            • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                                            • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                            • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                                            Function 004053C4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,0040560C,?,?,?,?,00000000,00000000,00000000,?,004065EB,00000000,004065FE), ref: 004053DE
                                                                                                              • Part of subcall function 0040520C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052D7,?,00000000,004053B6), ref: 0040522A
                                                                                                              • Part of subcall function 00405258: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040545A,?,?,?,00000000,0040560C), ref: 0040526B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                            • API String ID: 1044490935-665933166
                                                                                                            • Opcode ID: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                            • Instruction ID: cc137df54ae1fcbb63b87987e69a719e9c27c4b31815d0debc5c9b1d2781c89a
                                                                                                            • Opcode Fuzzy Hash: 2becd82198b95216644133442ecc563e5ef80f5327bc31795fb041598c227e39
                                                                                                            • Instruction Fuzzy Hash: F8515374B00548ABDB00EBA59891A5F7769DB88304F50D5BBB515BB3C6CA3DCA058F1C
                                                                                                            Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
                                                                                                            • LocalFree.KERNEL32(0062AB80,00000000,00401AB4), ref: 00401A1B
                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,0062AB80,00000000,00401AB4), ref: 00401A3A
                                                                                                            • LocalFree.KERNEL32(0062BB80,?,00000000,00008000,0062AB80,00000000,00401AB4), ref: 00401A79
                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
                                                                                                            • RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3782394904-0
                                                                                                            • Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                            • Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
                                                                                                            • Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
                                                                                                            • Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D
                                                                                                            Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                                            • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExitMessageProcess
                                                                                                            • String ID: Error$Runtime error at 00000000$9@
                                                                                                            • API String ID: 1220098344-1503883590
                                                                                                            • Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                            • Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
                                                                                                            • Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
                                                                                                            • Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E
                                                                                                            Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                                            • String ID:
                                                                                                            • API String ID: 262959230-0
                                                                                                            • Opcode ID: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                            • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                                            • Opcode Fuzzy Hash: 759139aa8138bb4f1b890a81a570935fc2f09484a8ccbcda4eb7e9d11bc9ffe5
                                                                                                            • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                                            Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,0040A60E), ref: 004030E3
                                                                                                            • GetCommandLineA.KERNEL32(00000000,0040A60E), ref: 004030EE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CommandHandleLineModule
                                                                                                            • String ID: U1hd.@$%a
                                                                                                            • API String ID: 2123368496-1085806408
                                                                                                            • Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                            • Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
                                                                                                            • Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
                                                                                                            • Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD
                                                                                                            Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,00409918,00000000), ref: 00406E4C
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue
                                                                                                            • String ID: )q@
                                                                                                            • API String ID: 3660427363-2284170586
                                                                                                            • Opcode ID: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                            • Instruction ID: 22a93fbabe645b78fd14ced98f65bd4bcb22fe3fd6f8222f7fa8e6a3c98f8dfc
                                                                                                            • Opcode Fuzzy Hash: 32d2d681139902fa63b50b1e86c1c6042aee641263ad409bd5d16b68eaa8278f
                                                                                                            • Instruction Fuzzy Hash: E6415E31D0021AAFDB21DF95C881BAFB7B8EB04704F56447AE901F7280D738AF108B99
                                                                                                            Function 00409C88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 00409CBD
                                                                                                            Strings
                                                                                                            • Setup, xrefs: 00409CAD
                                                                                                            • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 00409CA1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message
                                                                                                            • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                                            • API String ID: 2030045667-3271211647
                                                                                                            • Opcode ID: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                                            • Instruction ID: b8b600ed6bdfe48e96a015bdf4867c85bc36f5512d0f27a60c0f94c744360238
                                                                                                            • Opcode Fuzzy Hash: bc66b1cf8cea732a030952d466b76090b354ad7a58696f118c0a4b0261ee3717
                                                                                                            • Instruction Fuzzy Hash: 8EE0E5302482087EE311EA528C13F6A7BACE789B04F600477F900B15C3D6786E00A068
                                                                                                            Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 004094F7
                                                                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409507
                                                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 0040951A
                                                                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,0040ABED,000000FA,00000032,0040AC54), ref: 00409524
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.2921181062.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.2921145479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921207343.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                            • Associated: 00000000.00000002.2921234414.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_0_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 1458359878-0
                                                                                                            • Opcode ID: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                                            • Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
                                                                                                            • Opcode Fuzzy Hash: 97bb3b87fdda019371420e794be163fcf62410a15a23215566f33b90e6dc6563
                                                                                                            • Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:16%
                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                            Signature Coverage:4.7%
                                                                                                            Total number of Nodes:2000
                                                                                                            Total number of Limit Nodes:84
                                                                                                            execution_graph 49945 40cd00 49946 40cd12 49945->49946 49947 40cd0d 49945->49947 49949 406f48 CloseHandle 49947->49949 49949->49946 49950 492848 49951 49287c 49950->49951 49952 49287e 49951->49952 49953 492892 49951->49953 50096 446f9c 18 API calls 49952->50096 49956 4928ce 49953->49956 49957 4928a1 49953->49957 49955 492887 Sleep 50049 4928c9 49955->50049 49962 49290a 49956->49962 49963 4928dd 49956->49963 50086 446ff8 49957->50086 49961 4928b0 49965 4928b8 FindWindowA 49961->49965 49968 492919 49962->49968 49969 492960 49962->49969 49964 446ff8 18 API calls 49963->49964 49966 4928ea 49964->49966 50090 447278 49965->50090 49970 4928f2 FindWindowA 49966->49970 50097 446f9c 18 API calls 49968->50097 49974 4929bc 49969->49974 49975 49296f 49969->49975 49972 447278 5 API calls 49970->49972 50036 492905 49972->50036 49973 492925 50098 446f9c 18 API calls 49973->50098 49981 492a18 49974->49981 49982 4929cb 49974->49982 50101 446f9c 18 API calls 49975->50101 49978 492932 50099 446f9c 18 API calls 49978->50099 49979 49297b 50102 446f9c 18 API calls 49979->50102 49992 492a52 49981->49992 49993 492a27 49981->49993 50106 446f9c 18 API calls 49982->50106 49984 49293f 50100 446f9c 18 API calls 49984->50100 49987 492988 50103 446f9c 18 API calls 49987->50103 49988 49294a SendMessageA 49991 447278 5 API calls 49988->49991 49989 4929d7 50107 446f9c 18 API calls 49989->50107 49991->50036 50004 492a61 49992->50004 50005 492aa0 49992->50005 49996 446ff8 18 API calls 49993->49996 49995 492995 50104 446f9c 18 API calls 49995->50104 49999 492a34 49996->49999 49997 4929e4 50108 446f9c 18 API calls 49997->50108 50006 492a3c RegisterClipboardFormatA 49999->50006 50001 4929a0 PostMessageA 50105 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50001->50105 50003 4929f1 50109 446f9c 18 API calls 50003->50109 50111 446f9c 18 API calls 50004->50111 50013 492aaf 50005->50013 50014 492af4 50005->50014 50009 447278 5 API calls 50006->50009 50009->50049 50010 4929fc SendNotifyMessageA 50110 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50010->50110 50011 492a6d 50112 446f9c 18 API calls 50011->50112 50114 446f9c 18 API calls 50013->50114 50021 492b48 50014->50021 50022 492b03 50014->50022 50016 492a7a 50113 446f9c 18 API calls 50016->50113 50019 492abb 50115 446f9c 18 API calls 50019->50115 50020 492a85 SendMessageA 50024 447278 5 API calls 50020->50024 50029 492b57 50021->50029 50035 492baa 50021->50035 50118 446f9c 18 API calls 50022->50118 50024->50036 50026 492ac8 50116 446f9c 18 API calls 50026->50116 50027 492b0f 50119 446f9c 18 API calls 50027->50119 50033 446ff8 18 API calls 50029->50033 50031 492ad3 PostMessageA 50117 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50031->50117 50037 492b64 50033->50037 50034 492b1c 50120 446f9c 18 API calls 50034->50120 50039 492bb9 50035->50039 50040 492c31 50035->50040 50036->50049 50122 42e394 SetErrorMode 50037->50122 50043 446ff8 18 API calls 50039->50043 50051 492c40 50040->50051 50052 492c66 50040->50052 50042 492b27 SendNotifyMessageA 50121 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50042->50121 50046 492bc8 50043->50046 50044 492b71 50047 492b87 GetLastError 50044->50047 50048 492b77 50044->50048 50125 446f9c 18 API calls 50046->50125 50053 447278 5 API calls 50047->50053 50050 447278 5 API calls 50048->50050 50136 403420 50049->50136 50054 492b85 50050->50054 50130 446f9c 18 API calls 50051->50130 50059 492c98 50052->50059 50060 492c75 50052->50060 50053->50054 50058 447278 5 API calls 50054->50058 50057 492c4a FreeLibrary 50131 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50057->50131 50058->50049 50069 492ca7 50059->50069 50075 492cdb 50059->50075 50063 446ff8 18 API calls 50060->50063 50061 492bdb GetProcAddress 50064 492c21 50061->50064 50065 492be7 50061->50065 50066 492c81 50063->50066 50129 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50064->50129 50126 446f9c 18 API calls 50065->50126 50071 492c89 CreateMutexA 50066->50071 50132 48ccc8 18 API calls 50069->50132 50070 492bf3 50127 446f9c 18 API calls 50070->50127 50071->50049 50074 492c00 50078 447278 5 API calls 50074->50078 50075->50049 50134 48ccc8 18 API calls 50075->50134 50077 492cb3 50080 492cc4 OemToCharBuffA 50077->50080 50079 492c11 50078->50079 50128 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50079->50128 50133 48cce0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50080->50133 50083 492cf6 50084 492d07 CharToOemBuffA 50083->50084 50135 48cce0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 50084->50135 50087 447000 50086->50087 50140 436078 50087->50140 50089 44701f 50089->49961 50091 447280 50090->50091 50194 4363e0 VariantClear 50091->50194 50093 4472a3 50094 4472ba 50093->50094 50195 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50093->50195 50094->50049 50096->49955 50097->49973 50098->49978 50099->49984 50100->49988 50101->49979 50102->49987 50103->49995 50104->50001 50105->50036 50106->49989 50107->49997 50108->50003 50109->50010 50110->50049 50111->50011 50112->50016 50113->50020 50114->50019 50115->50026 50116->50031 50117->50036 50118->50027 50119->50034 50120->50042 50121->50049 50196 403738 50122->50196 50125->50061 50126->50070 50127->50074 50128->50036 50129->50036 50130->50057 50131->50049 50132->50077 50133->50049 50134->50083 50135->50049 50137 403426 50136->50137 50138 40344b 50137->50138 50139 402660 4 API calls 50137->50139 50139->50137 50141 436084 50140->50141 50151 4360a6 50140->50151 50141->50151 50160 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50141->50160 50142 436129 50169 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50142->50169 50144 436111 50164 403494 50144->50164 50145 436105 50145->50089 50146 4360f9 50155 403510 4 API calls 50146->50155 50147 4360ed 50161 403510 50147->50161 50148 43611d 50168 4040e8 18 API calls 50148->50168 50151->50142 50151->50144 50151->50145 50151->50146 50151->50147 50151->50148 50154 43613a 50154->50089 50159 436102 50155->50159 50157 436126 50157->50089 50159->50089 50160->50151 50170 4034e0 50161->50170 50166 403498 50164->50166 50165 4034ba 50165->50089 50166->50165 50167 402660 4 API calls 50166->50167 50167->50165 50168->50157 50169->50154 50175 4034bc 50170->50175 50172 4034f0 50180 403400 50172->50180 50176 4034c0 50175->50176 50177 4034dc 50175->50177 50184 402648 50176->50184 50177->50172 50179 4034c9 50179->50172 50181 403406 50180->50181 50182 40341f 50180->50182 50181->50182 50189 402660 50181->50189 50182->50089 50185 40264c 50184->50185 50186 402656 50184->50186 50185->50186 50188 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50185->50188 50186->50179 50186->50186 50188->50186 50190 402664 50189->50190 50191 40266e 50189->50191 50190->50191 50193 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50190->50193 50191->50182 50191->50191 50193->50191 50194->50093 50195->50094 50197 40373c LoadLibraryA 50196->50197 50197->50044 54098 498ba8 54156 403344 54098->54156 54100 498bb6 54159 4056a0 54100->54159 54102 498bbb 54162 40631c GetModuleHandleA GetProcAddress 54102->54162 54106 498bc5 54170 40994c 54106->54170 54438 4032fc 54156->54438 54158 403349 GetModuleHandleA GetCommandLineA 54158->54100 54161 4056db 54159->54161 54439 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54159->54439 54161->54102 54163 406338 54162->54163 54164 40633f GetProcAddress 54162->54164 54163->54164 54165 406355 GetProcAddress 54164->54165 54166 40634e 54164->54166 54167 406364 SetProcessDEPPolicy 54165->54167 54168 406368 54165->54168 54166->54165 54167->54168 54169 4063c4 6F551CD0 54168->54169 54169->54106 54440 409024 54170->54440 54438->54158 54439->54161 54441 408cbc 5 API calls 54440->54441 54442 409035 54441->54442 54443 4085dc GetSystemDefaultLCID 54442->54443 54447 408612 54443->54447 54444 408568 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 54444->54447 54445 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54445->54447 54446 406dec LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54446->54447 54447->54444 54447->54445 54447->54446 54448 408674 54447->54448 54449 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54448->54449 54450 406dec LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54448->54450 54451 408568 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetLocaleInfoA 54448->54451 54452 4086f7 54448->54452 54449->54448 54450->54448 54451->54448 54453 403420 4 API calls 54452->54453 54454 408711 54453->54454 54455 408720 GetSystemDefaultLCID 54454->54455 54512 408568 GetLocaleInfoA 54455->54512 54458 403450 4 API calls 54459 408760 54458->54459 54460 408568 5 API calls 54459->54460 54461 408775 54460->54461 54462 408568 5 API calls 54461->54462 54463 408799 54462->54463 54518 4085b4 GetLocaleInfoA 54463->54518 54466 4085b4 GetLocaleInfoA 54467 4087c9 54466->54467 54468 408568 5 API calls 54467->54468 54469 4087e3 54468->54469 54470 4085b4 GetLocaleInfoA 54469->54470 54513 4085a1 54512->54513 54514 40858f 54512->54514 54515 403494 4 API calls 54513->54515 54516 4034e0 4 API calls 54514->54516 54517 40859f 54515->54517 54516->54517 54517->54458 54519 4085d0 54518->54519 54519->54466 55873 42f520 55874 42f52b 55873->55874 55875 42f52f NtdllDefWindowProc_A 55873->55875 55875->55874 50198 416b42 50199 416bea 50198->50199 50200 416b5a 50198->50200 50217 41531c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50199->50217 50202 416b74 SendMessageA 50200->50202 50203 416b68 50200->50203 50213 416bc8 50202->50213 50204 416b72 CallWindowProcA 50203->50204 50205 416b8e 50203->50205 50204->50213 50214 41a058 GetSysColor 50205->50214 50208 416b99 SetTextColor 50209 416bae 50208->50209 50215 41a058 GetSysColor 50209->50215 50211 416bb3 SetBkColor 50216 41a6e0 GetSysColor CreateBrushIndirect 50211->50216 50214->50208 50215->50211 50216->50213 50217->50213 55876 4358e0 55877 4358f5 55876->55877 55881 43590f 55877->55881 55882 4352c8 55877->55882 55887 435312 55882->55887 55893 4352f8 55882->55893 55883 403400 4 API calls 55884 435717 55883->55884 55884->55881 55895 435728 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55884->55895 55885 446da4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55885->55893 55886 402648 4 API calls 55886->55893 55887->55883 55889 431ca0 4 API calls 55889->55893 55890 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55890->55893 55891 403744 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55891->55893 55892 4038a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55892->55893 55893->55885 55893->55886 55893->55887 55893->55889 55893->55890 55893->55891 55893->55892 55896 4343b0 55893->55896 55908 434b74 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55893->55908 55895->55881 55897 43446d 55896->55897 55898 4343dd 55896->55898 55927 434310 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55897->55927 55899 403494 4 API calls 55898->55899 55901 4343eb 55899->55901 55903 403778 4 API calls 55901->55903 55902 403400 4 API calls 55904 4344bd 55902->55904 55906 43440c 55903->55906 55904->55893 55905 43445f 55905->55902 55906->55905 55909 494944 55906->55909 55908->55893 55910 49497c 55909->55910 55911 494a14 55909->55911 55912 403494 4 API calls 55910->55912 55928 448930 55911->55928 55916 494987 55912->55916 55914 494997 55915 403400 4 API calls 55914->55915 55917 494a38 55915->55917 55916->55914 55918 4037b8 4 API calls 55916->55918 55919 403400 4 API calls 55917->55919 55921 4949b0 55918->55921 55920 494a40 55919->55920 55920->55906 55921->55914 55922 4037b8 4 API calls 55921->55922 55923 4949d3 55922->55923 55924 403778 4 API calls 55923->55924 55925 494a04 55924->55925 55926 403634 4 API calls 55925->55926 55926->55911 55927->55905 55929 448955 55928->55929 55930 448998 55928->55930 55931 403494 4 API calls 55929->55931 55932 4489ac 55930->55932 55940 44852c 55930->55940 55933 448960 55931->55933 55935 403400 4 API calls 55932->55935 55937 4037b8 4 API calls 55933->55937 55936 4489df 55935->55936 55936->55914 55938 44897c 55937->55938 55939 4037b8 4 API calls 55938->55939 55939->55930 55941 403494 4 API calls 55940->55941 55942 448562 55941->55942 55943 4037b8 4 API calls 55942->55943 55944 448574 55943->55944 55945 403778 4 API calls 55944->55945 55946 448595 55945->55946 55947 4037b8 4 API calls 55946->55947 55948 4485ad 55947->55948 55949 403778 4 API calls 55948->55949 55950 4485d8 55949->55950 55951 4037b8 4 API calls 55950->55951 55960 4485f0 55951->55960 55952 448628 55954 403420 4 API calls 55952->55954 55953 4486c3 55958 4486cb GetProcAddress 55953->55958 55955 448708 55954->55955 55955->55932 55956 44864b LoadLibraryExA 55956->55960 55957 44865d LoadLibraryA 55957->55960 55959 4486de 55958->55959 55959->55952 55960->55952 55960->55953 55960->55956 55960->55957 55961 403b80 4 API calls 55960->55961 55962 403450 4 API calls 55960->55962 55964 43da88 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 55960->55964 55961->55960 55962->55960 55964->55960 50218 402584 50219 402598 50218->50219 50220 4025ab 50218->50220 50248 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50219->50248 50222 4025c2 RtlEnterCriticalSection 50220->50222 50223 4025cc 50220->50223 50222->50223 50234 4023b4 13 API calls 50223->50234 50224 40259d 50224->50220 50226 4025a1 50224->50226 50227 4025d5 50228 4025d9 50227->50228 50235 402088 50227->50235 50230 402635 50228->50230 50231 40262b RtlLeaveCriticalSection 50228->50231 50231->50230 50232 4025e5 50232->50228 50249 402210 9 API calls 50232->50249 50234->50227 50236 40209c 50235->50236 50237 4020af 50235->50237 50256 4019cc RtlInitializeCriticalSection RtlEnterCriticalSection LocalAlloc RtlLeaveCriticalSection 50236->50256 50239 4020c6 RtlEnterCriticalSection 50237->50239 50242 4020d0 50237->50242 50239->50242 50240 4020a1 50240->50237 50241 4020a5 50240->50241 50243 402106 50241->50243 50242->50243 50250 401f94 50242->50250 50243->50232 50246 4021f1 RtlLeaveCriticalSection 50247 4021fb 50246->50247 50247->50232 50248->50224 50249->50228 50251 401fa4 50250->50251 50252 401fd0 50251->50252 50255 401ff4 50251->50255 50257 401f0c 50251->50257 50252->50255 50262 401db4 50252->50262 50255->50246 50255->50247 50256->50240 50266 40178c 50257->50266 50260 401f29 50260->50251 50263 401e02 50262->50263 50264 401dd2 50262->50264 50263->50264 50294 401d1c 50263->50294 50264->50255 50269 4017a8 50266->50269 50268 4017b2 50285 401678 VirtualAlloc 50268->50285 50269->50268 50271 40180f 50269->50271 50273 401803 50269->50273 50277 4014e4 50269->50277 50286 4013e0 LocalAlloc 50269->50286 50271->50260 50276 401e80 9 API calls 50271->50276 50287 4015c0 VirtualFree 50273->50287 50274 4017be 50274->50271 50276->50260 50278 4014f3 VirtualAlloc 50277->50278 50280 401520 50278->50280 50281 401543 50278->50281 50288 401398 50280->50288 50281->50269 50284 401530 VirtualFree 50284->50281 50285->50274 50286->50269 50287->50271 50291 401340 50288->50291 50292 40134c LocalAlloc 50291->50292 50293 40135e 50291->50293 50292->50293 50293->50281 50293->50284 50295 401d2e 50294->50295 50296 401d51 50295->50296 50297 401d63 50295->50297 50307 401940 50296->50307 50299 401940 3 API calls 50297->50299 50300 401d61 50299->50300 50301 401d79 50300->50301 50317 401bf8 9 API calls 50300->50317 50301->50264 50303 401d88 50304 401da2 50303->50304 50318 401c4c 9 API calls 50303->50318 50319 401454 LocalAlloc 50304->50319 50308 401966 50307->50308 50316 4019bf 50307->50316 50320 40170c 50308->50320 50312 401983 50313 40199a 50312->50313 50325 4015c0 VirtualFree 50312->50325 50313->50316 50326 401454 LocalAlloc 50313->50326 50316->50300 50317->50303 50318->50304 50319->50301 50322 401743 50320->50322 50321 401783 50324 4013e0 LocalAlloc 50321->50324 50322->50321 50323 40175d VirtualFree 50322->50323 50323->50322 50324->50312 50325->50313 50326->50316 50327 416644 50328 416651 50327->50328 50329 4166ab 50327->50329 50334 416550 CreateWindowExA 50328->50334 50330 416658 SetPropA SetPropA 50330->50329 50331 41668b 50330->50331 50332 41669e SetWindowPos 50331->50332 50332->50329 50334->50330 55965 4222e4 55966 4222f3 55965->55966 55971 421274 55966->55971 55969 422313 55972 4212e3 55971->55972 55985 421283 55971->55985 55975 4212f4 55972->55975 55996 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55972->55996 55974 421322 55977 421395 55974->55977 55982 42133d 55974->55982 55975->55974 55976 4213ba 55975->55976 55979 4213ce SetMenu 55976->55979 55993 421393 55976->55993 55984 4213a9 55977->55984 55977->55993 55978 4213e6 55999 4211bc 10 API calls 55978->55999 55979->55993 55988 421360 GetMenu 55982->55988 55982->55993 55983 4213ed 55983->55969 55994 4221e8 10 API calls 55983->55994 55987 4213b2 SetMenu 55984->55987 55985->55972 55995 408d2c 19 API calls 55985->55995 55987->55993 55989 421383 55988->55989 55990 42136a 55988->55990 55997 4124d0 GetMenuItemCount GetMenuStringA GetMenuState 55989->55997 55992 42137d SetMenu 55990->55992 55992->55989 55993->55978 55998 421e2c 11 API calls 55993->55998 55994->55969 55995->55985 55996->55975 55997->55993 55998->55978 55999->55983 56000 44b4a8 56001 44b4b6 56000->56001 56003 44b4d5 56000->56003 56002 44b38c 11 API calls 56001->56002 56001->56003 56002->56003 56004 448728 56005 448756 56004->56005 56006 44875d 56004->56006 56008 403400 4 API calls 56005->56008 56007 448771 56006->56007 56009 44852c 7 API calls 56006->56009 56007->56005 56010 403494 4 API calls 56007->56010 56011 448907 56008->56011 56009->56007 56012 44878a 56010->56012 56013 4037b8 4 API calls 56012->56013 56014 4487a6 56013->56014 56015 4037b8 4 API calls 56014->56015 56016 4487c2 56015->56016 56016->56005 56017 4487d6 56016->56017 56018 4037b8 4 API calls 56017->56018 56019 4487f0 56018->56019 56020 431bd0 4 API calls 56019->56020 56021 448812 56020->56021 56022 431ca0 4 API calls 56021->56022 56029 448832 56021->56029 56022->56021 56023 448888 56036 442334 56023->56036 56024 448870 56024->56023 56048 4435d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56024->56048 56028 4488bc GetLastError 56049 4484c0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56028->56049 56029->56024 56047 4435d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56029->56047 56031 4488cb 56050 443610 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56031->56050 56033 4488e0 56051 443620 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56033->56051 56035 4488e8 56037 443312 56036->56037 56038 44236d 56036->56038 56040 403400 4 API calls 56037->56040 56039 403400 4 API calls 56038->56039 56041 442375 56039->56041 56042 443327 56040->56042 56043 431bd0 4 API calls 56041->56043 56042->56028 56044 442381 56043->56044 56045 443302 56044->56045 56052 441a0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56044->56052 56045->56028 56047->56029 56048->56023 56049->56031 56050->56033 56051->56035 56052->56044 56053 4165ec DestroyWindow 56054 42e3ef SetErrorMode 50335 441394 50336 44139d 50335->50336 50337 4413ab WriteFile 50335->50337 50336->50337 50338 4413b6 50337->50338 50339 416410 50340 416422 50339->50340 50341 416462 GetClassInfoA 50340->50341 50359 408d2c 19 API calls 50340->50359 50342 41648e 50341->50342 50343 4164b0 RegisterClassA 50342->50343 50344 4164a0 UnregisterClassA 50342->50344 50349 4164e9 50342->50349 50346 4164d8 50343->50346 50343->50349 50344->50343 50360 408cbc 50346->50360 50347 41645d 50347->50341 50350 416506 50349->50350 50351 416517 50349->50351 50350->50349 50353 408cbc 5 API calls 50350->50353 50368 407544 50351->50368 50353->50351 50356 416530 50373 41a1e8 50356->50373 50358 41653a 50359->50347 50361 408cc8 50360->50361 50381 406dec LoadStringA 50361->50381 50366 403400 4 API calls 50367 408d0e 50366->50367 50367->50349 50369 407552 50368->50369 50370 407548 50368->50370 50372 418384 7 API calls 50369->50372 50371 402660 4 API calls 50370->50371 50371->50369 50372->50356 50374 41a213 50373->50374 50375 41a2af 50373->50375 50390 403520 50374->50390 50376 403400 4 API calls 50375->50376 50377 41a2c7 50376->50377 50377->50358 50379 41a26b 50380 41a2a3 CreateFontIndirectA 50379->50380 50380->50375 50382 4034e0 4 API calls 50381->50382 50383 406e19 50382->50383 50384 403450 50383->50384 50386 403454 50384->50386 50388 403464 50384->50388 50385 403490 50385->50366 50387 4034bc 4 API calls 50386->50387 50386->50388 50387->50388 50388->50385 50389 402660 4 API calls 50388->50389 50389->50385 50391 4034e0 4 API calls 50390->50391 50392 40352a 50391->50392 50392->50379 56055 491bf8 56056 491c32 56055->56056 56057 491c34 56056->56057 56059 491c3e 56056->56059 56251 409098 MessageBeep 56057->56251 56061 491c4d 56059->56061 56062 491c76 56059->56062 56060 491c39 56063 403420 4 API calls 56060->56063 56064 446ff8 18 API calls 56061->56064 56067 491cae 56062->56067 56068 491c85 56062->56068 56065 49228a 56063->56065 56066 491c5a 56064->56066 56069 403400 4 API calls 56065->56069 56252 406bb0 56066->56252 56077 491cbd 56067->56077 56078 491ce6 56067->56078 56071 446ff8 18 API calls 56068->56071 56072 492292 56069->56072 56074 491c92 56071->56074 56260 406c00 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56074->56260 56080 446ff8 18 API calls 56077->56080 56084 491d0e 56078->56084 56085 491cf5 56078->56085 56079 491c9d 56261 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56079->56261 56082 491cca 56080->56082 56262 406c34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56082->56262 56091 491d1d 56084->56091 56092 491d42 56084->56092 56264 407280 LocalAlloc TlsSetValue TlsGetValue TlsGetValue GetCurrentDirectoryA 56085->56264 56086 491cd5 56263 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56086->56263 56089 491cfd 56265 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56089->56265 56093 446ff8 18 API calls 56091->56093 56096 491d7a 56092->56096 56097 491d51 56092->56097 56094 491d2a 56093->56094 56095 4072a8 SetCurrentDirectoryA 56094->56095 56098 491d32 56095->56098 56102 491d89 56096->56102 56103 491db2 56096->56103 56099 446ff8 18 API calls 56097->56099 56266 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56098->56266 56101 491d5e 56099->56101 56104 42c804 5 API calls 56101->56104 56105 446ff8 18 API calls 56102->56105 56110 491dfe 56103->56110 56111 491dc1 56103->56111 56106 491d69 56104->56106 56107 491d96 56105->56107 56267 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56106->56267 56268 4071f8 8 API calls 56107->56268 56117 491e0d 56110->56117 56118 491e36 56110->56118 56113 446ff8 18 API calls 56111->56113 56112 491da1 56269 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56112->56269 56115 491dd0 56113->56115 56116 446ff8 18 API calls 56115->56116 56119 491de1 56116->56119 56120 446ff8 18 API calls 56117->56120 56124 491e6e 56118->56124 56125 491e45 56118->56125 56270 4918fc 8 API calls 56119->56270 56122 491e1a 56120->56122 56126 42c8a4 5 API calls 56122->56126 56123 491ded 56271 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56123->56271 56133 491e7d 56124->56133 56134 491ea6 56124->56134 56128 446ff8 18 API calls 56125->56128 56129 491e25 56126->56129 56130 491e52 56128->56130 56272 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56129->56272 56132 42c8cc 5 API calls 56130->56132 56135 491e5d 56132->56135 56136 446ff8 18 API calls 56133->56136 56140 491ede 56134->56140 56141 491eb5 56134->56141 56273 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56135->56273 56138 491e8a 56136->56138 56274 42c8fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 56138->56274 56146 491eed 56140->56146 56147 491f16 56140->56147 56143 446ff8 18 API calls 56141->56143 56142 491e95 56275 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56142->56275 56145 491ec2 56143->56145 56148 42c92c 5 API calls 56145->56148 56149 446ff8 18 API calls 56146->56149 56154 491f62 56147->56154 56155 491f25 56147->56155 56150 491ecd 56148->56150 56151 491efa 56149->56151 56276 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56150->56276 56153 42c954 5 API calls 56151->56153 56156 491f05 56153->56156 56160 491f71 56154->56160 56161 491fb4 56154->56161 56157 446ff8 18 API calls 56155->56157 56277 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56156->56277 56159 491f34 56157->56159 56162 446ff8 18 API calls 56159->56162 56163 446ff8 18 API calls 56160->56163 56168 491fc3 56161->56168 56169 492027 56161->56169 56164 491f45 56162->56164 56166 491f84 56163->56166 56278 42c4f8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue IsDBCSLeadByte 56164->56278 56170 446ff8 18 API calls 56166->56170 56167 491f51 56279 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56167->56279 56172 446ff8 18 API calls 56168->56172 56176 492066 56169->56176 56177 492036 56169->56177 56173 491f95 56170->56173 56174 491fd0 56172->56174 56280 491af4 12 API calls 56173->56280 56243 42c608 7 API calls 56174->56243 56189 4920a5 56176->56189 56190 492075 56176->56190 56180 446ff8 18 API calls 56177->56180 56179 491fa3 56281 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56179->56281 56183 492043 56180->56183 56181 491fde 56184 491fe2 56181->56184 56185 492017 56181->56185 56284 452908 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection DeleteFileA GetLastError 56183->56284 56188 446ff8 18 API calls 56184->56188 56283 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56185->56283 56193 491ff1 56188->56193 56198 4920e4 56189->56198 56199 4920b4 56189->56199 56191 446ff8 18 API calls 56190->56191 56194 492082 56191->56194 56192 492050 56285 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56192->56285 56244 452c80 56193->56244 56197 452770 5 API calls 56194->56197 56202 49208f 56197->56202 56207 49212c 56198->56207 56208 4920f3 56198->56208 56203 446ff8 18 API calls 56199->56203 56200 492061 56200->56060 56201 492001 56282 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56201->56282 56286 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56202->56286 56206 4920c1 56203->56206 56287 452e10 Wow64DisableWow64FsRedirection SetLastError Wow64RevertWow64FsRedirection RemoveDirectoryA GetLastError 56206->56287 56215 49213b 56207->56215 56216 492174 56207->56216 56210 446ff8 18 API calls 56208->56210 56212 492102 56210->56212 56211 4920ce 56288 4470d0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56211->56288 56214 446ff8 18 API calls 56212->56214 56218 492113 56214->56218 56217 446ff8 18 API calls 56215->56217 56221 492187 56216->56221 56227 49223d 56216->56227 56219 49214a 56217->56219 56223 447278 5 API calls 56218->56223 56220 446ff8 18 API calls 56219->56220 56222 49215b 56220->56222 56224 446ff8 18 API calls 56221->56224 56229 447278 5 API calls 56222->56229 56223->56060 56225 4921b4 56224->56225 56226 446ff8 18 API calls 56225->56226 56230 4921cb 56226->56230 56227->56060 56292 446f9c 18 API calls 56227->56292 56229->56060 56289 407ddc 7 API calls 56230->56289 56231 492256 56232 42e8c8 5 API calls 56231->56232 56233 49225e 56232->56233 56293 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56233->56293 56236 4921ed 56237 446ff8 18 API calls 56236->56237 56238 492201 56237->56238 56290 408508 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56238->56290 56240 49220c 56291 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56240->56291 56242 492218 56243->56181 56245 452724 2 API calls 56244->56245 56247 452c99 56245->56247 56246 452c9d 56246->56201 56247->56246 56248 452cc1 MoveFileA GetLastError 56247->56248 56249 452760 Wow64RevertWow64FsRedirection 56248->56249 56250 452ce7 56249->56250 56250->56201 56251->56060 56253 406bbf 56252->56253 56254 406be1 56253->56254 56255 406bd8 56253->56255 56257 403778 4 API calls 56254->56257 56256 403400 4 API calls 56255->56256 56258 406bdf 56256->56258 56257->56258 56259 44734c LocalAlloc TlsSetValue TlsGetValue TlsGetValue VariantClear 56258->56259 56259->56060 56260->56079 56261->56060 56262->56086 56263->56060 56264->56089 56265->56060 56266->56060 56267->56060 56268->56112 56269->56060 56270->56123 56271->56060 56272->56060 56273->56060 56274->56142 56275->56060 56276->56060 56277->56060 56278->56167 56279->56060 56280->56179 56281->56060 56282->56060 56283->56060 56284->56192 56285->56200 56286->56060 56287->56211 56288->56060 56289->56236 56290->56240 56291->56242 56292->56231 56293->56060 56294 40cc34 56297 406f10 WriteFile 56294->56297 56298 406f2d 56297->56298 50393 48095d 50398 451004 50393->50398 50395 480971 50408 47fa0c 50395->50408 50397 480995 50399 451011 50398->50399 50401 451065 50399->50401 50417 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50399->50417 50414 450e88 50401->50414 50405 45108d 50406 4510d0 50405->50406 50419 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50405->50419 50406->50395 50424 40b3c8 50408->50424 50410 47fa79 50410->50397 50412 47fa2e 50412->50410 50428 4069dc 50412->50428 50431 476994 50412->50431 50420 450e34 50414->50420 50417->50401 50418 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50418->50405 50419->50406 50421 450e57 50420->50421 50422 450e46 50420->50422 50421->50405 50421->50418 50423 450e4b InterlockedExchange 50422->50423 50423->50421 50425 40b3d3 50424->50425 50427 40b3f3 50425->50427 50447 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50425->50447 50427->50412 50429 402648 4 API calls 50428->50429 50430 4069e7 50429->50430 50430->50412 50440 4769c5 50431->50440 50446 476a0e 50431->50446 50432 451294 21 API calls 50432->50440 50433 476a59 50448 451294 50433->50448 50434 451294 21 API calls 50434->50446 50437 476a70 50439 403420 4 API calls 50437->50439 50438 4038a4 4 API calls 50438->50446 50441 476a8a 50439->50441 50440->50432 50443 403450 4 API calls 50440->50443 50440->50446 50454 4038a4 50440->50454 50463 403744 50440->50463 50441->50412 50443->50440 50444 403744 4 API calls 50444->50446 50445 403450 4 API calls 50445->50446 50446->50433 50446->50434 50446->50438 50446->50444 50446->50445 50447->50427 50449 4512a4 50448->50449 50450 4512af 50448->50450 50449->50437 50467 451238 21 API calls 50450->50467 50452 4512ba 50452->50449 50468 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50452->50468 50455 4038b1 50454->50455 50462 4038e1 50454->50462 50457 4038da 50455->50457 50460 4038bd 50455->50460 50456 403400 4 API calls 50459 4038cb 50456->50459 50458 4034bc 4 API calls 50457->50458 50458->50462 50459->50440 50469 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50460->50469 50462->50456 50464 40374a 50463->50464 50466 40375b 50463->50466 50465 4034bc 4 API calls 50464->50465 50464->50466 50465->50466 50466->50440 50467->50452 50468->50449 50469->50459 50470 41ee54 50471 41ee63 IsWindowVisible 50470->50471 50472 41ee99 50470->50472 50471->50472 50473 41ee6d IsWindowEnabled 50471->50473 50473->50472 50474 41ee77 50473->50474 50475 402648 4 API calls 50474->50475 50476 41ee81 EnableWindow 50475->50476 50476->50472 50477 46bb10 50478 46bb44 50477->50478 50510 46bfad 50477->50510 50480 46bb80 50478->50480 50483 46bbdc 50478->50483 50484 46bbba 50478->50484 50485 46bbcb 50478->50485 50486 46bb98 50478->50486 50487 46bba9 50478->50487 50479 403400 4 API calls 50482 46bfec 50479->50482 50480->50510 50568 468c74 50480->50568 50488 403400 4 API calls 50482->50488 50800 46baa0 45 API calls 50483->50800 50533 46b6d0 50484->50533 50799 46b890 67 API calls 50485->50799 50797 46b420 47 API calls 50486->50797 50798 46b588 42 API calls 50487->50798 50494 46bff4 50488->50494 50495 46bb9e 50495->50480 50495->50510 50496 46bc5b 50500 414ae8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50496->50500 50501 46bd7e 50496->50501 50504 42cbc0 6 API calls 50496->50504 50506 403450 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50496->50506 50507 46af68 23 API calls 50496->50507 50496->50510 50511 46bdd7 50496->50511 50529 46be9f 50496->50529 50571 468bb0 50496->50571 50579 46acd4 50496->50579 50724 483084 50496->50724 50837 46b1dc 19 API calls 50496->50837 50497 46bc18 50497->50496 50497->50510 50801 494da0 50497->50801 50500->50496 50820 48358c 123 API calls 50501->50820 50504->50496 50505 46bd99 50505->50510 50506->50496 50507->50496 50510->50479 50586 469f1c 50511->50586 50512 46af68 23 API calls 50512->50510 50514 46be3d 50515 403450 4 API calls 50514->50515 50516 46be4d 50515->50516 50517 46bea9 50516->50517 50518 46be59 50516->50518 50523 46bf6b 50517->50523 50647 46af68 50517->50647 50821 457f1c 50518->50821 50522 457f1c 24 API calls 50522->50529 50529->50512 50838 46c424 50533->50838 50536 46b852 50537 403420 4 API calls 50536->50537 50539 46b86c 50537->50539 50541 403400 4 API calls 50539->50541 50540 46b71e 50567 46b83e 50540->50567 50845 455f84 13 API calls 50540->50845 50543 46b874 50541->50543 50542 403450 4 API calls 50542->50536 50545 403400 4 API calls 50543->50545 50546 46b87c 50545->50546 50546->50480 50547 46b801 50547->50536 50553 42cd48 7 API calls 50547->50553 50547->50567 50550 46b73c 50551 46b7a1 50550->50551 50846 466600 50550->50846 50551->50536 50551->50547 50855 42cd48 50551->50855 50556 46b817 50553->50556 50561 451458 4 API calls 50556->50561 50556->50567 50563 46b82e 50561->50563 50862 47efd0 42 API calls 50563->50862 50567->50536 50567->50542 50569 468bb0 19 API calls 50568->50569 50570 468c83 50569->50570 50570->50497 50575 468bdf 50571->50575 50572 4078f4 19 API calls 50573 468c18 50572->50573 51116 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50573->51116 50575->50572 50576 468c20 50575->50576 50577 403400 4 API calls 50576->50577 50578 468c38 50577->50578 50578->50496 50580 46ace5 50579->50580 50581 46ace0 50579->50581 51202 469a80 46 API calls 50580->51202 50582 46ace3 50581->50582 51117 46a740 50581->51117 50582->50496 50584 46aced 50584->50496 50587 403400 4 API calls 50586->50587 50588 469f4a 50587->50588 51579 47dd00 50588->51579 50590 469fad 50591 469fb1 50590->50591 50592 469fca 50590->50592 51586 466800 50591->51586 50594 469fbb 50592->50594 51589 494c90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50592->51589 50595 46a25e 50594->50595 50597 46a154 50594->50597 50598 46a0e9 50594->50598 50599 403420 4 API calls 50595->50599 50603 403494 4 API calls 50597->50603 50602 403494 4 API calls 50598->50602 50604 46a288 50599->50604 50600 469fe6 50600->50594 50601 469fee 50600->50601 50605 46af68 23 API calls 50601->50605 50606 46a0f6 50602->50606 50607 46a161 50603->50607 50604->50514 50614 469ffb 50605->50614 50608 40357c 4 API calls 50606->50608 50609 40357c 4 API calls 50607->50609 50610 46a103 50608->50610 50611 46a16e 50609->50611 50612 40357c 4 API calls 50610->50612 50613 40357c 4 API calls 50611->50613 50615 46a110 50612->50615 50616 46a17b 50613->50616 50619 46a024 SetActiveWindow 50614->50619 50620 46a03c 50614->50620 50617 40357c 4 API calls 50615->50617 50618 40357c 4 API calls 50616->50618 50621 46a11d 50617->50621 50622 46a188 50618->50622 50619->50620 51590 42f560 50620->51590 50624 466800 20 API calls 50621->50624 50623 40357c 4 API calls 50622->50623 50626 46a196 50623->50626 50625 46a12b 50624->50625 50627 40357c 4 API calls 50625->50627 50628 414b18 4 API calls 50626->50628 50630 46a134 50627->50630 50631 46a152 50628->50631 50633 40357c 4 API calls 50630->50633 51607 466b38 50631->51607 50636 46a141 50633->50636 50638 414b18 4 API calls 50636->50638 50637 46a08d 50639 46ade4 21 API calls 50637->50639 50638->50631 50640 46a0bf 50639->50640 50640->50514 50648 468c74 19 API calls 50647->50648 50649 46af80 50648->50649 50650 46afa2 50649->50650 50651 4652cc 7 API calls 50649->50651 51792 4652cc 50650->51792 50651->50650 50655 46afba 50656 46ade4 21 API calls 50655->50656 50657 46aff2 50656->50657 50658 414b18 4 API calls 50657->50658 50659 46b006 50658->50659 50660 46b012 50659->50660 50661 46b03c 50659->50661 50662 414b18 4 API calls 50660->50662 50663 46b05b 50661->50663 50664 46b085 50661->50664 50665 46b026 50662->50665 50666 414b18 4 API calls 50663->50666 50667 414b18 4 API calls 50664->50667 50668 414b18 4 API calls 50665->50668 50669 46b06f 50666->50669 50670 46b099 50667->50670 50725 46c424 48 API calls 50724->50725 50726 4830c7 50725->50726 50727 4830d0 50726->50727 52068 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 50726->52068 50729 414ae8 4 API calls 50727->50729 50730 4830e0 50729->50730 50731 403450 4 API calls 50730->50731 50732 4830ed 50731->50732 51870 46c77c 50732->51870 50735 4830fd 50737 414ae8 4 API calls 50735->50737 50738 48310d 50737->50738 50739 403450 4 API calls 50738->50739 50740 48311a 50739->50740 50741 469868 SendMessageA 50740->50741 50742 483133 50741->50742 50743 483184 50742->50743 52070 479e18 23 API calls 50742->52070 51899 4241dc IsIconic 50743->51899 50747 48319f SetActiveWindow 50748 4831b4 50747->50748 51907 4824b4 50748->51907 50797->50495 50798->50480 50799->50480 50800->50480 53731 43d9c8 50801->53731 50804 494dcc 53736 431bd0 50804->53736 50805 494e52 50806 494e61 50805->50806 53769 4945c8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50805->53769 50806->50496 50815 494e16 53767 49465c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50815->53767 50817 494e2a 53768 433dd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50817->53768 50819 494e4a 50819->50496 50820->50505 50822 457f41 50821->50822 50823 457f61 50822->50823 50824 4078f4 19 API calls 50822->50824 50826 403400 4 API calls 50823->50826 50825 457f59 50824->50825 50827 457d10 24 API calls 50825->50827 50828 457f76 50826->50828 50827->50823 50828->50522 50837->50496 50863 46c4bc 50838->50863 50841 414ae8 50842 414af6 50841->50842 50843 4034e0 4 API calls 50842->50843 50844 414b03 50843->50844 50844->50540 50845->50550 50847 46661a 50846->50847 51067 4078f4 50847->51067 51110 42cccc 50855->51110 50858 451458 50859 451428 4 API calls 50858->50859 50860 451474 50859->50860 50862->50567 50864 414ae8 4 API calls 50863->50864 50865 46c4f0 50864->50865 50924 466898 50865->50924 50869 46c502 50870 46c511 50869->50870 50874 46c52a 50869->50874 50994 47efd0 42 API calls 50870->50994 50872 403420 4 API calls 50873 46b702 50872->50873 50873->50536 50873->50841 50875 46c571 50874->50875 50876 46c558 50874->50876 50877 46c5d6 50875->50877 50890 46c575 50875->50890 50995 47efd0 42 API calls 50876->50995 50997 42cb4c CharNextA 50877->50997 50880 46c5e5 50881 46c5e9 50880->50881 50885 46c602 50880->50885 50998 47efd0 42 API calls 50881->50998 50883 46c5bd 50996 47efd0 42 API calls 50883->50996 50884 46c626 50999 47efd0 42 API calls 50884->50999 50885->50884 50938 466a08 50885->50938 50889 46c616 50889->50884 50943 466a38 50889->50943 50890->50883 50890->50885 50893 46c63f 50947 403778 50893->50947 50898 46c666 51000 466a94 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50898->51000 50899 46c697 50958 42c8cc 50899->50958 50902 46c679 50905 451458 4 API calls 50902->50905 50907 46c686 50905->50907 50911 46c525 50911->50872 50929 4668b2 50924->50929 50926 42cbc0 6 API calls 50926->50929 50927 403450 4 API calls 50927->50929 50928 406bb0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50928->50929 50929->50926 50929->50927 50929->50928 50930 4668fb 50929->50930 51004 42caac 50929->51004 50931 403420 4 API calls 50930->50931 50932 466915 50931->50932 50933 414b18 50932->50933 50934 414ae8 4 API calls 50933->50934 50935 414b3c 50934->50935 50936 403400 4 API calls 50935->50936 50937 414b6d 50936->50937 50937->50869 50941 466a12 50938->50941 50939 466a33 50939->50889 50940 466a25 50940->50889 50941->50939 50941->50940 51020 42cb3c CharNextA 50941->51020 50945 466a42 50943->50945 50944 466a6f 50944->50884 50944->50893 50945->50944 51021 42cb3c CharNextA 50945->51021 50948 4037aa 50947->50948 50950 40377d 50947->50950 50949 403400 4 API calls 50948->50949 50951 4037a0 50949->50951 50950->50948 50952 403791 50950->50952 50954 42c99c 50951->50954 50953 4034e0 4 API calls 50952->50953 50953->50951 50955 42c9f5 50954->50955 50956 42c9b2 50954->50956 50955->50898 50955->50899 50956->50955 51022 42cb3c CharNextA 50956->51022 51023 42c674 50958->51023 50994->50911 50995->50911 50996->50911 50997->50880 50998->50911 50999->50911 51000->50902 51005 403494 4 API calls 51004->51005 51008 42cabc 51005->51008 51006 403744 4 API calls 51006->51008 51008->51006 51011 42caf2 51008->51011 51013 42c444 IsDBCSLeadByte 51008->51013 51009 42cb36 51009->50929 51011->51009 51014 4037b8 51011->51014 51019 42c444 IsDBCSLeadByte 51011->51019 51013->51008 51015 403744 4 API calls 51014->51015 51016 4037c6 51015->51016 51017 4037fc 51016->51017 51018 4038a4 4 API calls 51016->51018 51017->51011 51018->51017 51019->51011 51020->50941 51021->50945 51022->50956 51026 42c67c 51023->51026 51029 42c68d 51026->51029 51070 407908 51067->51070 51071 407925 51070->51071 51078 4075b8 51071->51078 51074 407951 51076 4034e0 4 API calls 51074->51076 51077 407903 51076->51077 51081 4075d3 51078->51081 51079 4075e5 51079->51074 51083 4069a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51079->51083 51081->51079 51084 4076da 19 API calls 51081->51084 51085 4075ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51081->51085 51083->51074 51084->51081 51085->51081 51111 42cbc0 6 API calls 51110->51111 51112 42ccee 51111->51112 51113 42ccf6 GetFileAttributesA 51112->51113 51114 403400 4 API calls 51113->51114 51115 42cd13 51114->51115 51115->50547 51115->50858 51116->50576 51119 46a787 51117->51119 51118 46abff 51121 46ac1a 51118->51121 51122 46ac4b 51118->51122 51119->51118 51120 46a842 51119->51120 51125 403494 4 API calls 51119->51125 51124 46a863 51120->51124 51128 46a8a4 51120->51128 51126 403494 4 API calls 51121->51126 51123 403494 4 API calls 51122->51123 51127 46ac59 51123->51127 51129 403494 4 API calls 51124->51129 51130 46a7c6 51125->51130 51131 46ac28 51126->51131 51230 46915c 12 API calls 51127->51230 51132 403400 4 API calls 51128->51132 51134 46a871 51129->51134 51135 414ae8 4 API calls 51130->51135 51229 46915c 12 API calls 51131->51229 51137 46a8a2 51132->51137 51138 414ae8 4 API calls 51134->51138 51139 46a7e7 51135->51139 51160 46a988 51137->51160 51209 469868 51137->51209 51142 46a892 51138->51142 51203 403634 51139->51203 51140 46ac36 51141 403400 4 API calls 51140->51141 51145 46ac7c 51141->51145 51147 403634 4 API calls 51142->51147 51152 403400 4 API calls 51145->51152 51146 46aa10 51150 403400 4 API calls 51146->51150 51147->51137 51154 46aa0e 51150->51154 51151 46a8c4 51155 46a902 51151->51155 51156 46a8ca 51151->51156 51157 46ac84 51152->51157 51224 469ca4 43 API calls 51154->51224 51161 403400 4 API calls 51155->51161 51158 403494 4 API calls 51156->51158 51159 403420 4 API calls 51157->51159 51163 46a8d8 51158->51163 51164 46ac91 51159->51164 51160->51146 51165 46a9cf 51160->51165 51166 46a900 51161->51166 51215 47c26c 51163->51215 51164->50582 51170 403494 4 API calls 51165->51170 51218 469b5c 51166->51218 51174 46a9dd 51170->51174 51172 46aa39 51181 46aa44 51172->51181 51182 46aa9a 51172->51182 51173 46a8f0 51176 403634 4 API calls 51173->51176 51177 414ae8 4 API calls 51174->51177 51176->51166 51178 46a9fe 51177->51178 51180 403634 4 API calls 51178->51180 51179 46a929 51185 46a934 51179->51185 51186 46a98a 51179->51186 51180->51154 51184 403494 4 API calls 51181->51184 51183 403400 4 API calls 51182->51183 51191 46aaa2 51183->51191 51187 46aa52 51184->51187 51189 403494 4 API calls 51185->51189 51188 403400 4 API calls 51186->51188 51187->51191 51195 403634 4 API calls 51187->51195 51196 46aa98 51187->51196 51188->51160 51190 46a942 51189->51190 51190->51160 51197 403634 4 API calls 51190->51197 51201 46ab4b 51191->51201 51225 494c90 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51191->51225 51193 46aac5 51193->51201 51226 494f3c 18 API calls 51193->51226 51195->51187 51196->51191 51197->51190 51199 46abec 51228 429144 SendMessageA SendMessageA 51199->51228 51227 4290f4 SendMessageA 51201->51227 51202->50584 51204 40363c 51203->51204 51205 4034bc 4 API calls 51204->51205 51206 40364f 51205->51206 51207 403450 4 API calls 51206->51207 51208 403677 51207->51208 51231 42a040 SendMessageA 51209->51231 51211 469877 51212 469897 51211->51212 51232 42a040 SendMessageA 51211->51232 51212->51151 51214 469887 51214->51151 51233 47c2b4 51215->51233 51222 469b89 51218->51222 51219 469beb 51220 403400 4 API calls 51219->51220 51221 469c00 51220->51221 51221->51179 51222->51219 51578 469ae0 43 API calls 51222->51578 51224->51172 51225->51193 51226->51201 51227->51199 51228->51118 51229->51140 51230->51140 51231->51211 51232->51214 51234 403494 4 API calls 51233->51234 51241 47c2e7 51234->51241 51235 47c3f9 51236 403420 4 API calls 51235->51236 51237 47c289 51236->51237 51237->51173 51239 403778 4 API calls 51239->51241 51241->51235 51241->51239 51244 4037b8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51241->51244 51245 47b100 51241->51245 51489 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51241->51489 51490 403800 51241->51490 51494 42c97c CharPrevA 51241->51494 51244->51241 51246 47b152 51245->51246 51247 47b130 51245->51247 51248 47b172 51246->51248 51249 47b160 51246->51249 51247->51246 51499 47a030 19 API calls 51247->51499 51252 47b1d5 51248->51252 51253 47b180 51248->51253 51250 403494 4 API calls 51249->51250 51318 47b16d 51250->51318 51265 47b1f6 51252->51265 51266 47b1e3 51252->51266 51255 47b1af 51253->51255 51256 47b189 51253->51256 51254 403400 4 API calls 51258 47baf8 51254->51258 51257 47b1c2 51255->51257 51501 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51255->51501 51259 47b19c 51256->51259 51500 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51256->51500 51263 403494 4 API calls 51257->51263 51264 403400 4 API calls 51258->51264 51261 403494 4 API calls 51259->51261 51261->51318 51263->51318 51267 47bb00 51264->51267 51269 47b217 51265->51269 51270 47b204 51265->51270 51268 403494 4 API calls 51266->51268 51267->51241 51268->51318 51272 47b267 51269->51272 51273 47b225 51269->51273 51271 403494 4 API calls 51270->51271 51271->51318 51279 47b275 51272->51279 51280 47b288 51272->51280 51274 47b241 51273->51274 51275 47b22e 51273->51275 51277 47b254 51274->51277 51502 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51274->51502 51276 403494 4 API calls 51275->51276 51276->51318 51278 403494 4 API calls 51277->51278 51278->51318 51282 403494 4 API calls 51279->51282 51283 47b296 51280->51283 51284 47b2a9 51280->51284 51282->51318 51285 403494 4 API calls 51283->51285 51286 47b2b7 51284->51286 51287 47b2ca 51284->51287 51285->51318 51288 403494 4 API calls 51286->51288 51289 47b2eb 51287->51289 51290 47b2d8 51287->51290 51288->51318 51292 47b327 51289->51292 51293 47b2f9 51289->51293 51291 403494 4 API calls 51290->51291 51291->51318 51298 47b335 51292->51298 51299 47b364 51292->51299 51294 47b315 51293->51294 51295 47b302 51293->51295 51297 47c26c 43 API calls 51294->51297 51296 403494 4 API calls 51295->51296 51296->51318 51297->51318 51300 47b351 51298->51300 51301 47b33e 51298->51301 51304 47b372 51299->51304 51305 47b3a0 51299->51305 51318->51254 51489->51241 51491 403804 51490->51491 51493 40382f 51490->51493 51492 4038a4 4 API calls 51491->51492 51492->51493 51493->51241 51494->51241 51499->51247 51500->51259 51501->51257 51502->51277 51578->51222 51580 47dd19 51579->51580 51583 47dd56 51579->51583 51611 455d0c 51580->51611 51583->50590 51585 47dd6d 51585->50590 51730 466714 51586->51730 51589->50600 51591 42f56c 51590->51591 51592 42f58f GetActiveWindow GetFocus 51591->51592 51593 41eea4 2 API calls 51592->51593 51594 42f5a6 51593->51594 51595 42f5c3 51594->51595 51596 42f5b3 RegisterClassA 51594->51596 51597 42f652 SetFocus 51595->51597 51598 42f5d1 CreateWindowExA 51595->51598 51596->51595 51600 403400 4 API calls 51597->51600 51598->51597 51599 42f604 51598->51599 51761 42427c 51599->51761 51602 42f66e 51600->51602 51606 494f3c 18 API calls 51602->51606 51603 42f62c 51604 42f634 CreateWindowExA 51603->51604 51604->51597 51605 42f64a ShowWindow 51604->51605 51605->51597 51606->50637 51767 44b514 51607->51767 51612 455d1d 51611->51612 51613 455d21 51612->51613 51614 455d2a 51612->51614 51637 455a10 51613->51637 51645 455af0 29 API calls 51614->51645 51617 455d27 51617->51583 51618 47d970 51617->51618 51623 47da6c 51618->51623 51629 47d9b0 51618->51629 51619 403420 4 API calls 51620 47db4f 51619->51620 51620->51585 51627 47dabd 51623->51627 51633 47da0f 51623->51633 51700 479630 51623->51700 51625 47c26c 43 API calls 51625->51627 51626 47c26c 43 API calls 51626->51629 51627->51623 51627->51625 51630 454100 20 API calls 51627->51630 51631 47da59 51627->51631 51628 47c26c 43 API calls 51635 47da18 51628->51635 51629->51623 51629->51626 51629->51633 51629->51635 51674 479770 51629->51674 51685 4798d4 51629->51685 51630->51627 51631->51633 51633->51619 51635->51628 51635->51629 51635->51631 51689 42c92c 51635->51689 51694 42c954 51635->51694 51699 47d67c 52 API calls 51635->51699 51646 42de1c 51637->51646 51639 455a2d 51640 455a7b 51639->51640 51649 455944 51639->51649 51640->51617 51643 455944 6 API calls 51644 455a5c RegCloseKey 51643->51644 51644->51617 51645->51617 51647 42de27 51646->51647 51648 42de2d RegOpenKeyExA 51646->51648 51647->51648 51648->51639 51654 42dd58 51649->51654 51651 403420 4 API calls 51652 4559f6 51651->51652 51652->51643 51653 45596c 51653->51651 51657 42dc00 51654->51657 51658 42dc26 RegQueryValueExA 51657->51658 51659 42dc6b 51658->51659 51664 42dc49 51658->51664 51660 403400 4 API calls 51659->51660 51662 42dd37 51660->51662 51661 42dc63 51663 403400 4 API calls 51661->51663 51662->51653 51663->51659 51664->51659 51664->51661 51665 4034e0 4 API calls 51664->51665 51666 403744 4 API calls 51664->51666 51665->51664 51667 42dca0 RegQueryValueExA 51666->51667 51667->51658 51668 42dcbc 51667->51668 51668->51659 51669 4038a4 4 API calls 51668->51669 51670 42dcfe 51669->51670 51671 42dd10 51670->51671 51673 403744 4 API calls 51670->51673 51672 403450 4 API calls 51671->51672 51672->51659 51673->51671 51675 479786 51674->51675 51676 479782 51674->51676 51677 403450 4 API calls 51675->51677 51676->51629 51678 479793 51677->51678 51679 4797b3 51678->51679 51680 479799 51678->51680 51682 479630 19 API calls 51679->51682 51681 479630 19 API calls 51680->51681 51683 4797af 51681->51683 51682->51683 51684 403400 4 API calls 51683->51684 51684->51676 51686 4798e0 51685->51686 51687 4798fb 51686->51687 51712 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51686->51712 51687->51629 51713 42c79c 51689->51713 51692 403778 4 API calls 51693 42c94e 51692->51693 51693->51635 51695 42c79c IsDBCSLeadByte 51694->51695 51696 42c964 51695->51696 51697 403778 4 API calls 51696->51697 51698 42c975 51697->51698 51698->51635 51699->51635 51701 47964b 51700->51701 51702 47970a 51701->51702 51705 47967c 51701->51705 51725 4794e4 19 API calls 51701->51725 51702->51623 51704 4796a1 51708 4796c2 51704->51708 51727 4794e4 19 API calls 51704->51727 51705->51704 51726 4794e4 19 API calls 51705->51726 51708->51702 51709 479702 51708->51709 51728 453344 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51708->51728 51719 479368 51709->51719 51712->51687 51714 42c67c IsDBCSLeadByte 51713->51714 51715 42c7b1 51714->51715 51716 42c7fb 51715->51716 51718 42c444 IsDBCSLeadByte 51715->51718 51716->51692 51718->51715 51720 4793a3 51719->51720 51721 403450 4 API calls 51720->51721 51722 4793c8 51721->51722 51729 477a58 19 API calls 51722->51729 51724 479409 51724->51702 51725->51705 51726->51704 51727->51708 51728->51709 51729->51724 51731 403494 4 API calls 51730->51731 51732 466742 51731->51732 51747 42dbc8 51732->51747 51735 42dbc8 5 API calls 51736 466766 51735->51736 51737 466600 19 API calls 51736->51737 51738 466770 51737->51738 51739 42dbc8 5 API calls 51738->51739 51740 46677f 51739->51740 51750 466678 51740->51750 51743 42dbc8 5 API calls 51744 466798 51743->51744 51745 403400 4 API calls 51744->51745 51746 4667ad 51745->51746 51746->50594 51754 42db10 51747->51754 51751 466698 51750->51751 51752 4078f4 19 API calls 51751->51752 51753 4666e2 51752->51753 51753->51743 51755 42db30 51754->51755 51756 42dbbb 51754->51756 51755->51756 51757 4037b8 4 API calls 51755->51757 51759 403800 4 API calls 51755->51759 51760 42c444 IsDBCSLeadByte 51755->51760 51756->51735 51757->51755 51759->51755 51760->51755 51762 4242ae 51761->51762 51763 42428e GetWindowTextA 51761->51763 51765 403494 4 API calls 51762->51765 51764 4034e0 4 API calls 51763->51764 51766 4242ac 51764->51766 51765->51766 51766->51603 51770 44b38c 51767->51770 51771 44b3bf 51770->51771 51772 414ae8 4 API calls 51771->51772 51773 44b3d2 51772->51773 51774 44b3ff GetDC 51773->51774 51775 40357c 4 API calls 51773->51775 51776 41a1e8 5 API calls 51774->51776 51775->51774 51777 44b41f SelectObject 51776->51777 51778 44b430 51777->51778 51781 44b0c0 51778->51781 51782 44b0d7 51781->51782 51794 4652d7 51792->51794 51793 4653b2 51803 46708c 51793->51803 51794->51793 51797 465327 51794->51797 51815 421a1c 51794->51815 51798 465361 51797->51798 51799 46536c 51797->51799 51802 46536a 51797->51802 51800 421a1c 7 API calls 51798->51800 51801 421a1c 7 API calls 51799->51801 51800->51802 51801->51802 51802->51793 51821 4185b8 7 API calls 51802->51821 51804 4670bc 51803->51804 51805 46709d 51803->51805 51804->50655 51806 414b18 4 API calls 51805->51806 51807 4670ab 51806->51807 51808 414b18 4 API calls 51807->51808 51808->51804 51819 421a74 51815->51819 51820 421a2a 51815->51820 51816 421a59 51816->51819 51822 421d28 SetFocus GetFocus 51816->51822 51817 408cbc 5 API calls 51817->51816 51819->51797 51820->51816 51820->51817 51821->51793 51822->51819 51871 46c7a5 51870->51871 51872 46c7f2 51871->51872 51873 414ae8 4 API calls 51871->51873 51875 403420 4 API calls 51872->51875 51874 46c7bb 51873->51874 52077 466924 6 API calls 51874->52077 51877 46c89c 51875->51877 51877->50735 52069 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 51877->52069 51878 46c7c3 51879 414b18 4 API calls 51878->51879 51880 46c7d1 51879->51880 51881 46c7de 51880->51881 51883 46c7f7 51880->51883 52078 47efd0 42 API calls 51881->52078 51884 46c80f 51883->51884 51885 466a08 CharNextA 51883->51885 52079 47efd0 42 API calls 51884->52079 51887 46c80b 51885->51887 51887->51884 51888 46c825 51887->51888 51889 46c841 51888->51889 51890 46c82b 51888->51890 51891 42c99c CharNextA 51889->51891 52080 47efd0 42 API calls 51890->52080 51893 46c84e 51891->51893 51893->51872 52081 466a94 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51893->52081 51895 46c865 51896 451458 4 API calls 51895->51896 51897 46c872 51896->51897 52082 47efd0 42 API calls 51897->52082 51900 4241ed SetActiveWindow 51899->51900 51904 424223 51899->51904 52083 42364c 51900->52083 51904->50747 51904->50748 51905 42420a 51905->51904 51906 42421d SetFocus 51905->51906 51906->51904 51908 482505 51907->51908 51909 4824d7 51907->51909 51911 475bd0 51908->51911 52096 494cec 18 API calls 51909->52096 52097 457d10 51911->52097 52070->50743 52077->51878 52078->51872 52079->51872 52080->51872 52081->51895 52082->51872 52092 4235f8 SystemParametersInfoA 52083->52092 52086 423665 ShowWindow 52088 423670 52086->52088 52089 423677 52086->52089 52095 423628 SystemParametersInfoA 52088->52095 52091 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 52089->52091 52091->51905 52093 423616 52092->52093 52093->52086 52094 423628 SystemParametersInfoA 52093->52094 52094->52086 52095->52089 52096->51908 52098 457d3c 52097->52098 52113 457e44 52097->52113 52569 457a0c GetSystemTimeAsFileTime FileTimeToSystemTime 52098->52569 52099 457e95 52102 403400 4 API calls 52099->52102 52104 457eaa 52102->52104 52103 457d44 52105 4078f4 19 API calls 52103->52105 52118 4072a8 52104->52118 52106 457db5 52105->52106 52570 457d00 20 API calls 52106->52570 52113->52099 52573 45757c 6 API calls 52113->52573 52119 403738 52118->52119 52569->52103 52573->52099 53770 431eec 53731->53770 53733 403400 4 API calls 53734 43da76 53733->53734 53734->50804 53734->50805 53735 43d9f2 53735->53733 53737 431bd6 53736->53737 53738 402648 4 API calls 53737->53738 53739 431c06 53738->53739 53740 4947f8 53739->53740 53741 4948cd 53740->53741 53745 494812 53740->53745 53747 494910 53741->53747 53743 433d6c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53743->53745 53745->53741 53745->53743 53746 403450 4 API calls 53745->53746 53775 408c0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53745->53775 53776 431ca0 53745->53776 53746->53745 53748 49492c 53747->53748 53784 433d6c 53748->53784 53750 494931 53751 431ca0 4 API calls 53750->53751 53752 49493c 53751->53752 53753 43d594 53752->53753 53754 43d5c1 53753->53754 53759 43d5b3 53753->53759 53754->50815 53755 43d63d 53761 43d6f7 53755->53761 53787 447084 53755->53787 53757 43d688 53793 43dd50 53757->53793 53759->53754 53759->53755 53760 447084 4 API calls 53759->53760 53760->53759 53762 43d8fd 53761->53762 53764 43d8de 53761->53764 53811 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53761->53811 53762->53754 53813 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53762->53813 53812 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53764->53812 53767->50817 53768->50819 53769->50806 53771 403494 4 API calls 53770->53771 53772 431efb 53771->53772 53773 431f25 53772->53773 53774 403744 4 API calls 53772->53774 53773->53735 53774->53772 53775->53745 53777 431cc0 53776->53777 53778 431cae 53776->53778 53780 431ce2 53777->53780 53783 431c40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53777->53783 53782 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53778->53782 53780->53745 53782->53777 53783->53780 53785 402648 4 API calls 53784->53785 53786 433d7b 53785->53786 53786->53750 53788 4470a3 53787->53788 53789 4470aa 53787->53789 53814 446e30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53788->53814 53791 431ca0 4 API calls 53789->53791 53792 4470ba 53791->53792 53792->53757 53794 43dd6c 53793->53794 53799 43dd99 53793->53799 53795 402660 4 API calls 53794->53795 53794->53799 53795->53794 53796 43ddce 53796->53761 53798 43fea5 53798->53796 53799->53796 53799->53798 53800 447024 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53799->53800 53802 43c938 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53799->53802 53806 433d18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53799->53806 53807 433b18 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53799->53807 53808 436650 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53799->53808 53809 431c40 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53799->53809 53810 446e30 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53799->53810 53815 4396e0 53799->53815 53821 436e4c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53799->53821 53822 43dc48 18 API calls 53799->53822 53823 433d34 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 53799->53823 53800->53799 53802->53799 53806->53799 53807->53799 53808->53799 53809->53799 53810->53799 53811->53761 53812->53762 53813->53762 53814->53789 53821->53799 53822->53799 53823->53799 53827 41fb58 53828 41fb61 53827->53828 53831 41fdfc 53828->53831 53830 41fb6e 53832 41feee 53831->53832 53833 41fe13 53831->53833 53832->53830 53833->53832 53852 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53833->53852 53835 41fe49 53836 41fe73 53835->53836 53837 41fe4d 53835->53837 53862 41f9bc GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 53836->53862 53853 41fb9c 53837->53853 53841 41fe81 53842 41fe85 53841->53842 53843 41feab 53841->53843 53845 41fb9c 10 API calls 53842->53845 53846 41fb9c 10 API calls 53843->53846 53844 41fb9c 10 API calls 53847 41fe71 53844->53847 53848 41fe97 53845->53848 53849 41febd 53846->53849 53847->53830 53850 41fb9c 10 API calls 53848->53850 53851 41fb9c 10 API calls 53849->53851 53850->53847 53851->53847 53852->53835 53854 41fbb7 53853->53854 53855 41f93c 4 API calls 53854->53855 53856 41fbcd 53854->53856 53855->53856 53863 41f93c 53856->53863 53858 41fc15 53859 41fc38 SetScrollInfo 53858->53859 53871 41fa9c 53859->53871 53862->53841 53864 4181e0 53863->53864 53865 41f959 GetWindowLongA 53864->53865 53866 41f996 53865->53866 53867 41f976 53865->53867 53883 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53866->53883 53882 41f8c8 GetWindowLongA GetSystemMetrics GetSystemMetrics 53867->53882 53870 41f982 53870->53858 53872 41faaa 53871->53872 53873 41fab2 53871->53873 53872->53844 53874 41faf1 53873->53874 53875 41fae1 53873->53875 53879 41faef 53873->53879 53885 417e48 IsWindowVisible ScrollWindow SetWindowPos 53874->53885 53884 417e48 IsWindowVisible ScrollWindow SetWindowPos 53875->53884 53876 41fb31 GetScrollPos 53876->53872 53880 41fb3c 53876->53880 53879->53876 53881 41fb4b SetScrollPos 53880->53881 53881->53872 53882->53870 53883->53870 53884->53879 53885->53879 53886 420598 53887 4205ab 53886->53887 53907 415b30 53887->53907 53889 4206f2 53890 420709 53889->53890 53914 4146d4 KiUserCallbackDispatcher 53889->53914 53894 420720 53890->53894 53915 414718 KiUserCallbackDispatcher 53890->53915 53891 420651 53912 420848 20 API calls 53891->53912 53892 4205e6 53892->53889 53892->53891 53900 420642 MulDiv 53892->53900 53897 420742 53894->53897 53916 420060 12 API calls 53894->53916 53898 42066a 53898->53889 53913 420060 12 API calls 53898->53913 53911 41a304 LocalAlloc TlsSetValue TlsGetValue TlsGetValue DeleteObject 53900->53911 53903 420687 53904 4206a3 MulDiv 53903->53904 53905 4206c6 53903->53905 53904->53905 53905->53889 53906 4206cf MulDiv 53905->53906 53906->53889 53908 415b42 53907->53908 53917 414470 53908->53917 53910 415b5a 53910->53892 53911->53891 53912->53898 53913->53903 53914->53890 53915->53894 53916->53897 53918 41448a 53917->53918 53921 410458 53918->53921 53920 4144a0 53920->53910 53924 40dca4 53921->53924 53923 41045e 53923->53920 53925 40dd06 53924->53925 53926 40dcb7 53924->53926 53931 40dd14 53925->53931 53929 40dd14 19 API calls 53926->53929 53930 40dce1 53929->53930 53930->53923 53932 40dd24 53931->53932 53934 40dd3a 53932->53934 53943 40e09c 53932->53943 53959 40d5e0 53932->53959 53962 40df4c 53934->53962 53937 40d5e0 5 API calls 53938 40dd42 53937->53938 53938->53937 53939 40ddae 53938->53939 53965 40db60 53938->53965 53941 40df4c 5 API calls 53939->53941 53942 40dd10 53941->53942 53942->53923 53979 40e96c 53943->53979 53945 403778 4 API calls 53947 40e0d7 53945->53947 53946 40e18d 53948 40e1b7 53946->53948 53949 40e1a8 53946->53949 53947->53945 53947->53946 54042 40d774 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53947->54042 54043 40e080 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53947->54043 54039 40ba24 53948->54039 53988 40e3c0 53949->53988 53955 40e1b5 53956 403400 4 API calls 53955->53956 53957 40e25c 53956->53957 53957->53932 53960 40ea08 5 API calls 53959->53960 53961 40d5ea 53960->53961 53961->53932 54076 40d4bc 53962->54076 54085 40df54 53965->54085 53968 40e96c 5 API calls 53969 40db9e 53968->53969 53970 40e96c 5 API calls 53969->53970 53971 40dba9 53970->53971 53972 40dbc4 53971->53972 53973 40dbbb 53971->53973 53978 40dbc1 53971->53978 54092 40d9d8 53972->54092 54095 40dac8 19 API calls 53973->54095 53976 403420 4 API calls 53977 40dc8f 53976->53977 53977->53938 53978->53976 54045 40d780 53979->54045 53982 4034e0 4 API calls 53983 40e98f 53982->53983 53984 403744 4 API calls 53983->53984 53985 40e996 53984->53985 53986 40d780 5 API calls 53985->53986 53987 40e9a4 53986->53987 53987->53947 53989 40e3ec 53988->53989 53991 40e3f6 53988->53991 54050 40d440 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53989->54050 53992 40e511 53991->53992 53993 40e495 53991->53993 53994 40e4f6 53991->53994 53995 40e576 53991->53995 53996 40e438 53991->53996 53997 40e4d9 53991->53997 53998 40e47a 53991->53998 53999 40e4bb 53991->53999 54010 40e45c 53991->54010 54002 40d764 5 API calls 53992->54002 54058 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53993->54058 54063 40e890 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53994->54063 54006 40d764 5 API calls 53995->54006 54051 40d764 53996->54051 54061 40e9a8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53997->54061 54057 40d818 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53998->54057 54060 40dde4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 53999->54060 54011 40e519 54002->54011 54005 403400 4 API calls 54012 40e5eb 54005->54012 54013 40e57e 54006->54013 54009 40e4a0 54059 40d470 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54009->54059 54010->54005 54019 40e523 54011->54019 54020 40e51d 54011->54020 54012->53955 54021 40e582 54013->54021 54022 40e59b 54013->54022 54014 40e4e4 54062 409d38 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54014->54062 54016 40e461 54056 40ded8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54016->54056 54017 40e444 54054 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54017->54054 54064 40ea08 54019->54064 54027 40e521 54020->54027 54028 40e53c 54020->54028 54030 40ea08 5 API calls 54021->54030 54070 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54022->54070 54068 40de24 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54027->54068 54031 40ea08 5 API calls 54028->54031 54030->54010 54033 40e544 54031->54033 54032 40e44f 54055 40e26c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54032->54055 54067 40d8a0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54033->54067 54036 40e566 54069 40e2d4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54036->54069 54071 40b9d0 54039->54071 54042->53947 54043->53947 54044 40d774 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54044->53955 54046 40d78b 54045->54046 54047 40d7c5 54046->54047 54049 40d7cc LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54046->54049 54047->53982 54049->54046 54050->53991 54052 40ea08 5 API calls 54051->54052 54053 40d76e 54052->54053 54053->54016 54053->54017 54054->54032 54055->54010 54056->54010 54057->54010 54058->54009 54059->54010 54060->54010 54061->54014 54062->54010 54063->54010 54065 40d780 5 API calls 54064->54065 54066 40ea15 54065->54066 54066->54010 54067->54010 54068->54036 54069->54010 54070->54010 54072 40b9e2 54071->54072 54074 40ba07 54071->54074 54072->54074 54075 40ba84 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54072->54075 54074->53955 54074->54044 54075->54074 54077 40ea08 5 API calls 54076->54077 54078 40d4c9 54077->54078 54079 40d4dc 54078->54079 54083 40eb0c LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54078->54083 54079->53938 54081 40d4d7 54084 40d458 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54081->54084 54083->54081 54084->54079 54086 40d764 5 API calls 54085->54086 54087 40df6b 54086->54087 54088 40db93 54087->54088 54089 40ea08 5 API calls 54087->54089 54088->53968 54090 40df78 54089->54090 54090->54088 54096 40ded8 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 54090->54096 54097 40ab7c 19 API calls 54092->54097 54094 40da00 54094->53978 54095->53978 54096->54088 54097->54094 56299 41363c SetWindowLongA GetWindowLongA 56300 41367b GetWindowLongA 56299->56300 56302 413699 SetPropA SetPropA 56299->56302 56301 41368a SetWindowLongA 56300->56301 56300->56302 56301->56302 56306 41f39c 56302->56306 56311 415270 56306->56311 56318 423c0c 56306->56318 56412 423a84 56306->56412 56307 4136e9 56312 41527d 56311->56312 56313 4152e3 56312->56313 56314 4152d8 56312->56314 56317 4152e1 56312->56317 56419 424b8c 13 API calls 56313->56419 56314->56317 56420 41505c 46 API calls 56314->56420 56317->56307 56323 423c42 56318->56323 56321 423cec 56324 423cf3 56321->56324 56325 423d27 56321->56325 56322 423c8d 56326 423c93 56322->56326 56327 423d50 56322->56327 56338 423c63 56323->56338 56421 423b68 56323->56421 56328 423cf9 56324->56328 56363 423fb1 56324->56363 56331 423d32 56325->56331 56332 42409a IsIconic 56325->56332 56329 423cc5 56326->56329 56330 423c98 56326->56330 56333 423d62 56327->56333 56334 423d6b 56327->56334 56336 423f13 SendMessageA 56328->56336 56337 423d07 56328->56337 56329->56338 56361 423cde 56329->56361 56362 423e3f 56329->56362 56340 423df6 56330->56340 56341 423c9e 56330->56341 56342 4240d6 56331->56342 56343 423d3b 56331->56343 56332->56338 56339 4240ae GetFocus 56332->56339 56344 423d78 56333->56344 56345 423d69 56333->56345 56428 424194 11 API calls 56334->56428 56336->56338 56337->56338 56364 423cc0 56337->56364 56392 423f56 56337->56392 56338->56307 56339->56338 56349 4240bf 56339->56349 56433 423b84 NtdllDefWindowProc_A 56340->56433 56350 423ca7 56341->56350 56351 423e1e PostMessageA 56341->56351 56442 424850 WinHelpA PostMessageA 56342->56442 56347 4240ed 56343->56347 56343->56364 56348 4241dc 11 API calls 56344->56348 56429 423b84 NtdllDefWindowProc_A 56345->56429 56359 4240f6 56347->56359 56360 42410b 56347->56360 56348->56338 56441 41eff4 GetCurrentThreadId EnumThreadWindows 56349->56441 56356 423cb0 56350->56356 56357 423ea5 56350->56357 56434 423b84 NtdllDefWindowProc_A 56351->56434 56369 423cb9 56356->56369 56370 423dce IsIconic 56356->56370 56371 423eae 56357->56371 56372 423edf 56357->56372 56358 423e39 56358->56338 56373 4244d4 5 API calls 56359->56373 56443 42452c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 56360->56443 56361->56364 56365 423e0b 56361->56365 56425 423b84 NtdllDefWindowProc_A 56362->56425 56363->56338 56383 423fd7 IsWindowEnabled 56363->56383 56364->56338 56427 423b84 NtdllDefWindowProc_A 56364->56427 56378 424178 12 API calls 56365->56378 56368 4240c6 56368->56338 56380 4240ce SetFocus 56368->56380 56369->56364 56381 423d91 56369->56381 56374 423dea 56370->56374 56375 423dde 56370->56375 56436 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56371->56436 56426 423b84 NtdllDefWindowProc_A 56372->56426 56373->56338 56432 423b84 NtdllDefWindowProc_A 56374->56432 56431 423bc0 15 API calls 56375->56431 56378->56338 56379 423e45 56387 423e83 56379->56387 56388 423e61 56379->56388 56380->56338 56381->56338 56430 422c4c ShowWindow PostMessageA PostQuitMessage 56381->56430 56383->56338 56390 423fe5 56383->56390 56386 423ee5 56391 423efd 56386->56391 56399 41eea4 2 API calls 56386->56399 56394 423a84 6 API calls 56387->56394 56435 423b14 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 56388->56435 56389 423eb6 56396 423ec8 56389->56396 56397 41ef58 6 API calls 56389->56397 56404 423fec IsWindowVisible 56390->56404 56400 423a84 6 API calls 56391->56400 56392->56338 56401 423f78 IsWindowEnabled 56392->56401 56403 423e8b PostMessageA 56394->56403 56437 423b84 NtdllDefWindowProc_A 56396->56437 56397->56396 56399->56391 56400->56338 56401->56338 56405 423f86 56401->56405 56402 423e69 PostMessageA 56402->56338 56403->56338 56404->56338 56406 423ffa GetFocus 56404->56406 56438 412310 7 API calls 56405->56438 56408 4181e0 56406->56408 56409 42400f SetFocus 56408->56409 56439 415240 56409->56439 56413 423b0d 56412->56413 56414 423a94 56412->56414 56413->56307 56414->56413 56415 423a9a EnumWindows 56414->56415 56415->56413 56416 423ab6 GetWindow GetWindowLongA 56415->56416 56444 423a1c GetWindow 56415->56444 56417 423ad5 56416->56417 56417->56413 56418 423b01 SetWindowPos 56417->56418 56418->56413 56418->56417 56419->56317 56420->56317 56422 423b7d 56421->56422 56423 423b72 56421->56423 56422->56321 56422->56322 56423->56422 56424 408720 7 API calls 56423->56424 56424->56422 56425->56379 56426->56386 56427->56338 56428->56338 56429->56338 56430->56338 56431->56338 56432->56338 56433->56338 56434->56358 56435->56402 56436->56389 56437->56338 56438->56338 56440 41525b SetFocus 56439->56440 56440->56338 56441->56368 56442->56358 56443->56358 56445 423a49 56444->56445 56446 423a3d GetWindowLongA 56444->56446 56446->56445 56447 4809f7 56448 480a00 56447->56448 56449 480a2b 56447->56449 56448->56449 56450 480a1d 56448->56450 56452 480a6a 56449->56452 56821 47f4a4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56449->56821 56819 476c50 189 API calls 56450->56819 56453 480a8e 56452->56453 56456 480a81 56452->56456 56457 480a83 56452->56457 56459 480aca 56453->56459 56460 480aac 56453->56460 56455 480a5d 56822 47f50c 42 API calls 56455->56822 56464 47f4e8 42 API calls 56456->56464 56823 47f57c 42 API calls 56457->56823 56458 480a22 56458->56449 56820 408be0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue LoadStringA 56458->56820 56826 47f33c 24 API calls 56459->56826 56465 480ac1 56460->56465 56824 47f50c 42 API calls 56460->56824 56464->56453 56825 47f33c 24 API calls 56465->56825 56469 480ac8 56470 480ada 56469->56470 56471 480ae0 56469->56471 56472 480ade 56470->56472 56475 47f4e8 42 API calls 56470->56475 56471->56472 56473 47f4e8 42 API calls 56471->56473 56573 47c66c 56472->56573 56473->56472 56475->56472 56574 42d898 GetWindowsDirectoryA 56573->56574 56575 47c690 56574->56575 56576 403450 4 API calls 56575->56576 56577 47c69d 56576->56577 56578 42d8c4 GetSystemDirectoryA 56577->56578 56579 47c6a5 56578->56579 56580 403450 4 API calls 56579->56580 56581 47c6b2 56580->56581 56582 42d8f0 6 API calls 56581->56582 56583 47c6ba 56582->56583 56584 403450 4 API calls 56583->56584 56585 47c6c7 56584->56585 56586 47c6d0 56585->56586 56587 47c6ec 56585->56587 56858 42d208 56586->56858 56589 403400 4 API calls 56587->56589 56591 47c6ea 56589->56591 56592 47c731 56591->56592 56594 42c8cc 5 API calls 56591->56594 56838 47c4f4 56592->56838 56593 403450 4 API calls 56593->56591 56596 47c70c 56594->56596 56598 403450 4 API calls 56596->56598 56600 47c719 56598->56600 56599 403450 4 API calls 56601 47c74d 56599->56601 56600->56592 56603 403450 4 API calls 56600->56603 56602 47c76b 56601->56602 56604 4035c0 4 API calls 56601->56604 56605 47c4f4 8 API calls 56602->56605 56603->56592 56604->56602 56606 47c77a 56605->56606 56607 403450 4 API calls 56606->56607 56608 47c787 56607->56608 56609 47c7af 56608->56609 56610 42c3fc 5 API calls 56608->56610 56611 47c816 56609->56611 56614 47c4f4 8 API calls 56609->56614 56612 47c79d 56610->56612 56613 47c8de 56611->56613 56618 47c836 SHGetKnownFolderPath 56611->56618 56617 4035c0 4 API calls 56612->56617 56615 47c8e7 56613->56615 56616 47c908 56613->56616 56619 47c7c7 56614->56619 56617->56609 56622 47c850 56618->56622 56819->56458 56821->56455 56822->56452 56823->56453 56824->56465 56825->56469 56826->56469 56839 42de1c RegOpenKeyExA 56838->56839 56840 47c51a 56839->56840 56841 47c540 56840->56841 56842 47c51e 56840->56842 56844 403400 4 API calls 56841->56844 56843 42dd4c 6 API calls 56842->56843 56845 47c52a 56843->56845 56846 47c547 56844->56846 56847 47c535 RegCloseKey 56845->56847 56848 403400 4 API calls 56845->56848 56846->56599 56847->56846 56848->56847 56859 4038a4 4 API calls 56858->56859 56860 42d21b 56859->56860 56861 42d232 GetEnvironmentVariableA 56860->56861 56865 42d245 56860->56865 56870 42dbd0 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 56860->56870 56861->56860 56862 42d23e 56861->56862 56863 403400 4 API calls 56862->56863 56863->56865 56865->56593 56870->56860

                                                                                                            Executed Functions

                                                                                                            Function 004706A8 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 965COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            • Version of our file: %u.%u.%u.%u, xrefs: 00470AF0
                                                                                                            • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00470E96
                                                                                                            • Incrementing shared file count (32-bit)., xrefs: 004715A5
                                                                                                            • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00470CC4
                                                                                                            • , xrefs: 00470BCF, 00470DA0, 00470E1E
                                                                                                            • Same version. Skipping., xrefs: 00470CE5
                                                                                                            • Existing file has a later time stamp. Skipping., xrefs: 00470DCF
                                                                                                            • Existing file is protected by Windows File Protection. Skipping., xrefs: 00470DEC
                                                                                                            • Couldn't read time stamp. Skipping., xrefs: 00470D35
                                                                                                            • @, xrefs: 004707B0
                                                                                                            • Version of our file: (none), xrefs: 00470AFC
                                                                                                            • Time stamp of our file: %s, xrefs: 0047099B
                                                                                                            • Time stamp of our file: (failed to read), xrefs: 004709A7
                                                                                                            • Dest file exists., xrefs: 004709BB
                                                                                                            • Installing into GAC, xrefs: 00471714
                                                                                                            • .tmp, xrefs: 00470FB7
                                                                                                            • Same time stamp. Skipping., xrefs: 00470D55
                                                                                                            • Dest filename: %s, xrefs: 00470894
                                                                                                            • InUn, xrefs: 0047115F
                                                                                                            • Time stamp of existing file: (failed to read), xrefs: 00470A37
                                                                                                            • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00470CD0
                                                                                                            • Skipping due to "onlyifdoesntexist" flag., xrefs: 004709CE
                                                                                                            • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00470CB5
                                                                                                            • Will register the file (a DLL/OCX) later., xrefs: 0047151F
                                                                                                            • User opted not to overwrite the existing file. Skipping., xrefs: 00470E4D
                                                                                                            • Version of existing file: (none), xrefs: 00470CFA
                                                                                                            • Version of existing file: %u.%u.%u.%u, xrefs: 00470B7C
                                                                                                            • Stripped read-only attribute., xrefs: 00470EC7
                                                                                                            • Time stamp of existing file: %s, xrefs: 00470A2B
                                                                                                            • Incrementing shared file count (64-bit)., xrefs: 0047158C
                                                                                                            • Will register the file (a type library) later., xrefs: 00471513
                                                                                                            • Non-default bitness: 32-bit, xrefs: 004708BB
                                                                                                            • -- File entry --, xrefs: 004706FB
                                                                                                            • Non-default bitness: 64-bit, xrefs: 004708AF
                                                                                                            • Uninstaller requires administrator: %s, xrefs: 0047118F
                                                                                                            • Skipping due to "onlyifdestfileexists" flag., xrefs: 00470EFA
                                                                                                            • Existing file is a newer version. Skipping., xrefs: 00470C02
                                                                                                            • Failed to strip read-only attribute., xrefs: 00470ED3
                                                                                                            • Installing the file., xrefs: 00470F09
                                                                                                            • Dest file is protected by Windows File Protection., xrefs: 004708ED
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
                                                                                                            • API String ID: 0-4021121268
                                                                                                            • Opcode ID: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                                            • Instruction ID: 04e5041402f80353ef90c659d92e8d378e84d4fed116f8838aecbbc27e5febe3
                                                                                                            • Opcode Fuzzy Hash: cebd1a573a13cfb1480ab73f2a07467b13e4d984594641078933206a2f2f5451
                                                                                                            • Instruction Fuzzy Hash: 31927574A0424CDFDB21DFA9C445BDDBBB5AF05304F1480ABE848A7392D7789E49CB19
                                                                                                            Function 0042E09C Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1578 42e09c-42e0ad 1579 42e0b8-42e0dd AllocateAndInitializeSid 1578->1579 1580 42e0af-42e0b3 1578->1580 1581 42e287-42e28f 1579->1581 1582 42e0e3-42e100 GetVersion 1579->1582 1580->1581 1583 42e102-42e117 GetModuleHandleA GetProcAddress 1582->1583 1584 42e119-42e11b 1582->1584 1583->1584 1585 42e142-42e15c GetCurrentThread OpenThreadToken 1584->1585 1586 42e11d-42e12b CheckTokenMembership 1584->1586 1589 42e193-42e1bb GetTokenInformation 1585->1589 1590 42e15e-42e168 GetLastError 1585->1590 1587 42e131-42e13d 1586->1587 1588 42e269-42e27f FreeSid 1586->1588 1587->1588 1591 42e1d6-42e1fa call 402648 GetTokenInformation 1589->1591 1592 42e1bd-42e1c5 GetLastError 1589->1592 1593 42e174-42e187 GetCurrentProcess OpenProcessToken 1590->1593 1594 42e16a-42e16f call 4031bc 1590->1594 1605 42e208-42e210 1591->1605 1606 42e1fc-42e206 call 4031bc * 2 1591->1606 1592->1591 1595 42e1c7-42e1d1 call 4031bc * 2 1592->1595 1593->1589 1598 42e189-42e18e call 4031bc 1593->1598 1594->1581 1595->1581 1598->1581 1607 42e212-42e213 1605->1607 1608 42e243-42e261 call 402660 CloseHandle 1605->1608 1606->1581 1611 42e215-42e228 EqualSid 1607->1611 1615 42e22a-42e237 1611->1615 1616 42e23f-42e241 1611->1616 1615->1616 1619 42e239-42e23d 1615->1619 1616->1608 1616->1611 1619->1608
                                                                                                            APIs
                                                                                                            • AllocateAndInitializeSid.ADVAPI32(00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0D6
                                                                                                            • GetVersion.KERNEL32(00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E0F3
                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E10C
                                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E112
                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E280,?,00499788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E127
                                                                                                            • FreeSid.ADVAPI32(00000000,0042E287,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E27A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                                            • String ID: CheckTokenMembership$advapi32.dll
                                                                                                            • API String ID: 2252812187-1888249752
                                                                                                            • Opcode ID: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                                            • Instruction ID: e5677345bf142a8b1d9111380f95962c8bb8cf61ba8e960ca5c3fd0f127139eb
                                                                                                            • Opcode Fuzzy Hash: a9f409996ddfe82e0213da269ff1de212d34eb3ec341ac20085b7d7d2472ef68
                                                                                                            • Instruction Fuzzy Hash: E351A271B44215EEEB10EAE69C42BBF77ACEB09704F9404BBB901F7281D57C99018B79
                                                                                                            Function 004502C0 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 45libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1642 4502c0-4502cd 1643 4502d3-4502e0 GetVersion 1642->1643 1644 45037c-450386 1642->1644 1643->1644 1645 4502e6-4502fc LoadLibraryA 1643->1645 1645->1644 1646 4502fe-450377 GetProcAddress * 6 1645->1646 1646->1644
                                                                                                            APIs
                                                                                                            • GetVersion.KERNEL32(00480B52), ref: 004502D3
                                                                                                            • LoadLibraryA.KERNEL32(Rstrtmgr.dll,00480B52), ref: 004502EB
                                                                                                            • GetProcAddress.KERNEL32(6E240000,RmStartSession), ref: 00450309
                                                                                                            • GetProcAddress.KERNEL32(6E240000,RmRegisterResources), ref: 0045031E
                                                                                                            • GetProcAddress.KERNEL32(6E240000,RmGetList), ref: 00450333
                                                                                                            • GetProcAddress.KERNEL32(6E240000,RmShutdown), ref: 00450348
                                                                                                            • GetProcAddress.KERNEL32(6E240000,RmRestart), ref: 0045035D
                                                                                                            • GetProcAddress.KERNEL32(6E240000,RmEndSession), ref: 00450372
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$LibraryLoadVersion
                                                                                                            • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                                            • API String ID: 1968650500-3419246398
                                                                                                            • Opcode ID: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                                            • Instruction ID: c77cef2ad5653e61b65a4477cbb73d0d56cf7b8a9d174f96be3e9b6947252677
                                                                                                            • Opcode Fuzzy Hash: 2681632e5309952c30eea3f8c2bf2722b4339596373eceda0d07b93e3cd0d7e4
                                                                                                            • Instruction Fuzzy Hash: B211F7B4510301DBD710FB61BF45A2E36E9E728315B08063FE804961A2CB7C4844CF8C
                                                                                                            Function 00423C0C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1790 423c0c-423c40 1791 423c42-423c43 1790->1791 1792 423c74-423c8b call 423b68 1790->1792 1794 423c45-423c61 call 40b24c 1791->1794 1797 423cec-423cf1 1792->1797 1798 423c8d 1792->1798 1827 423c63-423c6b 1794->1827 1828 423c70-423c72 1794->1828 1800 423cf3 1797->1800 1801 423d27-423d2c 1797->1801 1802 423c93-423c96 1798->1802 1803 423d50-423d60 1798->1803 1804 423fb1-423fb9 1800->1804 1805 423cf9-423d01 1800->1805 1808 423d32-423d35 1801->1808 1809 42409a-4240a8 IsIconic 1801->1809 1806 423cc5-423cc8 1802->1806 1807 423c98 1802->1807 1810 423d62-423d67 1803->1810 1811 423d6b-423d73 call 424194 1803->1811 1816 424152-42415a 1804->1816 1822 423fbf-423fca call 4181e0 1804->1822 1814 423f13-423f3a SendMessageA 1805->1814 1815 423d07-423d0c 1805->1815 1823 423da9-423db0 1806->1823 1824 423cce-423ccf 1806->1824 1818 423df6-423e06 call 423b84 1807->1818 1819 423c9e-423ca1 1807->1819 1820 4240d6-4240eb call 424850 1808->1820 1821 423d3b-423d3c 1808->1821 1809->1816 1817 4240ae-4240b9 GetFocus 1809->1817 1825 423d78-423d80 call 4241dc 1810->1825 1826 423d69-423d8c call 423b84 1810->1826 1811->1816 1814->1816 1829 423d12-423d13 1815->1829 1830 42404a-424055 1815->1830 1831 424171-424177 1816->1831 1817->1816 1838 4240bf-4240c8 call 41eff4 1817->1838 1818->1816 1839 423ca7-423caa 1819->1839 1840 423e1e-423e3a PostMessageA call 423b84 1819->1840 1820->1816 1833 423d42-423d45 1821->1833 1834 4240ed-4240f4 1821->1834 1822->1816 1866 423fd0-423fdf call 4181e0 IsWindowEnabled 1822->1866 1823->1816 1843 423db6-423dbd 1823->1843 1844 423cd5-423cd8 1824->1844 1845 423f3f-423f46 1824->1845 1825->1816 1826->1816 1827->1831 1828->1792 1828->1794 1846 424072-42407d 1829->1846 1847 423d19-423d1c 1829->1847 1830->1816 1849 42405b-42406d 1830->1849 1850 424120-424127 1833->1850 1851 423d4b 1833->1851 1860 4240f6-424109 call 4244d4 1834->1860 1861 42410b-42411e call 42452c 1834->1861 1838->1816 1898 4240ce-4240d4 SetFocus 1838->1898 1857 423cb0-423cb3 1839->1857 1858 423ea5-423eac 1839->1858 1840->1816 1843->1816 1863 423dc3-423dc9 1843->1863 1864 423cde-423ce1 1844->1864 1865 423e3f-423e5f call 423b84 1844->1865 1845->1816 1853 423f4c-423f51 call 404e54 1845->1853 1846->1816 1875 424083-424095 1846->1875 1872 423d22 1847->1872 1873 423f56-423f5e 1847->1873 1849->1816 1870 42413a-424149 1850->1870 1871 424129-424138 1850->1871 1874 42414b-42414c call 423b84 1851->1874 1853->1816 1881 423cb9-423cba 1857->1881 1882 423dce-423ddc IsIconic 1857->1882 1883 423eae-423ec1 call 423b14 1858->1883 1884 423edf-423ef0 call 423b84 1858->1884 1860->1816 1861->1816 1863->1816 1867 423ce7 1864->1867 1868 423e0b-423e19 call 424178 1864->1868 1911 423e83-423ea0 call 423a84 PostMessageA 1865->1911 1912 423e61-423e7e call 423b14 PostMessageA 1865->1912 1866->1816 1915 423fe5-423ff4 call 4181e0 IsWindowVisible 1866->1915 1867->1874 1868->1816 1870->1816 1871->1816 1872->1874 1873->1816 1896 423f64-423f6b 1873->1896 1907 424151 1874->1907 1875->1816 1899 423cc0 1881->1899 1900 423d91-423d99 1881->1900 1889 423dea-423df1 call 423b84 1882->1889 1890 423dde-423de5 call 423bc0 1882->1890 1924 423ed3-423eda call 423b84 1883->1924 1925 423ec3-423ecd call 41ef58 1883->1925 1918 423ef2-423ef8 call 41eea4 1884->1918 1919 423f06-423f0e call 423a84 1884->1919 1889->1816 1890->1816 1896->1816 1910 423f71-423f80 call 4181e0 IsWindowEnabled 1896->1910 1898->1816 1899->1874 1900->1816 1913 423d9f-423da4 call 422c4c 1900->1913 1907->1816 1910->1816 1940 423f86-423f9c call 412310 1910->1940 1911->1816 1912->1816 1913->1816 1915->1816 1941 423ffa-424045 GetFocus call 4181e0 SetFocus call 415240 SetFocus 1915->1941 1938 423efd-423f00 1918->1938 1919->1816 1924->1816 1925->1924 1938->1919 1940->1816 1946 423fa2-423fac 1940->1946 1941->1816 1946->1816
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                                            • Instruction ID: afb4f91cf4018cf9acc1c9974f14325182323c15c0e0405bd0f9b005e596376e
                                                                                                            • Opcode Fuzzy Hash: 22958418fcb5307417e2cb8c5b21c835fdc4d5c2778e3f26f52eb9817f6a2da5
                                                                                                            • Instruction Fuzzy Hash: 03E1AE31700124EFDB04DF69E989AADB7B5FB54300FA440AAE5559B352C73CEE81DB09
                                                                                                            Function 004673A4 Relevance: 15.6, APIs: 4, Strings: 4, Instructions: 1649windowCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 2133 4673a4-4673ba 2134 4673c4-46747b call 49577c call 402b30 * 6 2133->2134 2135 4673bc-4673bf call 402d30 2133->2135 2152 46747d-4674a4 call 41463c 2134->2152 2153 4674b8-4674d1 2134->2153 2135->2134 2157 4674a6 2152->2157 2158 4674a9-4674b3 call 4145fc 2152->2158 2159 4674d3-4674fa call 41461c 2153->2159 2160 46750e-46751c call 495a84 2153->2160 2157->2158 2158->2153 2166 4674ff-467509 call 4145dc 2159->2166 2167 4674fc 2159->2167 2168 46751e-46752d call 4958cc 2160->2168 2169 46752f-467531 call 4959f0 2160->2169 2166->2160 2167->2166 2174 467536-467589 call 4953e0 call 41a3d0 * 2 2168->2174 2169->2174 2181 46759a-4675af call 451458 call 414b18 2174->2181 2182 46758b-467598 call 414b18 2174->2182 2188 4675b4-4675bb 2181->2188 2182->2188 2189 467603-467a89 call 49581c call 495b40 call 41461c * 3 call 4146bc call 4145dc * 3 call 460bfc call 460c14 call 460c20 call 460c68 call 460bfc call 460c14 call 460c20 call 460c68 call 460c14 call 460c68 LoadBitmapA call 41d6b0 call 460c38 call 460c50 call 467180 call 468c94 call 466800 call 40357c call 414b18 call 466b38 call 466b40 call 466800 call 40357c * 2 call 414b18 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 414b18 * 2 call 468c94 call 414b18 * 2 call 466b38 call 4145fc call 466b38 call 4145fc call 468c94 call 414b18 call 466b38 call 466b40 call 468c94 call 414b18 call 466b38 call 4145fc * 2 call 414b18 call 466b38 call 4145fc 2188->2189 2190 4675bd-4675fe call 4146bc call 414700 call 420f98 call 420fc4 call 420b68 call 420b94 2188->2190 2320 467ae5-467afe call 414a44 * 2 2189->2320 2321 467a8b-467ae3 call 4145fc call 414b18 call 466b38 call 4145fc 2189->2321 2190->2189 2328 467b03-467bb4 call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2320->2328 2321->2328 2347 467bb6-467bd1 2328->2347 2348 467bee-467e24 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 4181e0 call 42ed38 call 414b18 call 49581c call 495b40 call 41461c call 466800 call 414b18 call 466b38 call 4145fc call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 4145fc call 466b40 call 466800 call 414b18 call 466b38 2328->2348 2349 467bd6-467be9 call 4145fc 2347->2349 2350 467bd3 2347->2350 2409 467e26-467e2f 2348->2409 2410 467e65-467f1e call 466800 call 468c94 call 466800 call 414b18 call 495b40 call 466b38 2348->2410 2349->2348 2350->2349 2409->2410 2411 467e31-467e60 call 414a44 call 466b40 2409->2411 2428 467f20-467f3b 2410->2428 2429 467f58-468379 call 466800 call 414b18 call 495b50 * 2 call 42e8c0 call 4145fc call 466b38 call 4145fc call 414b18 call 49581c call 495b40 call 41461c call 414b18 call 466800 call 468c94 call 466800 call 414b18 call 466b38 call 466b40 call 42bbd0 call 495b50 call 44e8b0 call 466800 call 468c94 call 466800 call 468c94 call 466800 call 468c94 * 2 call 414b18 call 466b38 call 466b40 call 468c94 call 4953e0 call 41a3d0 call 466800 call 40357c call 414b18 call 466b38 call 4145fc call 414b18 * 2 call 495b50 call 403494 call 40357c * 2 call 414b18 2410->2429 2411->2410 2430 467f40-467f53 call 4145fc 2428->2430 2431 467f3d 2428->2431 2528 46839d-4683a4 2429->2528 2529 46837b-468398 call 44ffdc call 450138 2429->2529 2430->2429 2431->2430 2531 4683a6-4683c3 call 44ffdc call 450138 2528->2531 2532 4683c8-4683cf 2528->2532 2529->2528 2531->2532 2534 4683f3-468439 call 4181e0 GetSystemMenu AppendMenuA call 403738 AppendMenuA call 468d88 2532->2534 2535 4683d1-4683ee call 44ffdc call 450138 2532->2535 2549 468453 2534->2549 2550 46843b-468442 2534->2550 2535->2534 2553 468455-468464 2549->2553 2551 468444-46844d 2550->2551 2552 46844f-468451 2550->2552 2551->2549 2551->2552 2552->2553 2554 468466-46846d 2553->2554 2555 46847e 2553->2555 2556 46846f-468478 2554->2556 2557 46847a-46847c 2554->2557 2558 468480-46849a 2555->2558 2556->2555 2556->2557 2557->2558 2559 468543-46854a 2558->2559 2560 4684a0-4684a9 2558->2560 2563 468550-468573 call 47c26c call 403450 2559->2563 2564 4685dd-4685eb call 414b18 2559->2564 2561 468504-46853e call 414b18 * 3 2560->2561 2562 4684ab-468502 call 47c26c call 414b18 call 47c26c call 414b18 call 47c26c call 414b18 2560->2562 2561->2559 2562->2559 2583 468584-468598 call 403494 2563->2583 2584 468575-468582 call 47c440 2563->2584 2570 4685f0-4685f9 2564->2570 2574 4685ff-468617 call 429fd8 2570->2574 2575 468709-468738 call 42b96c call 44e83c 2570->2575 2592 46868e-468692 2574->2592 2593 468619-46861d 2574->2593 2609 4687e6-4687ea 2575->2609 2610 46873e-468742 2575->2610 2605 4685aa-4685db call 42c804 call 42cbc0 call 403494 call 414b18 2583->2605 2606 46859a-4685a5 call 403494 2583->2606 2584->2605 2598 468694-46869d 2592->2598 2599 4686e2-4686e6 2592->2599 2600 46861f-468659 call 40b24c call 47c26c 2593->2600 2598->2599 2607 46869f-4686aa 2598->2607 2603 4686fa-468704 call 42a05c 2599->2603 2604 4686e8-4686f8 call 42a05c 2599->2604 2660 46865b-468662 2600->2660 2661 468688-46868c 2600->2661 2603->2575 2604->2575 2605->2570 2606->2605 2607->2599 2619 4686ac-4686b0 2607->2619 2612 4687ec-4687f3 2609->2612 2613 468869-46886d 2609->2613 2611 468744-468756 call 40b24c 2610->2611 2639 468788-4687bf call 47c26c call 44cb0c 2611->2639 2640 468758-468786 call 47c26c call 44cbdc 2611->2640 2612->2613 2622 4687f5-4687fc 2612->2622 2623 4688d6-4688df 2613->2623 2624 46886f-468886 call 40b24c 2613->2624 2628 4686b2-4686d5 call 40b24c call 406ac4 2619->2628 2622->2613 2633 4687fe-468809 2622->2633 2631 4688e1-4688f9 call 40b24c call 4699fc 2623->2631 2632 4688fe-468913 call 466ee0 call 466c5c 2623->2632 2654 4688c6-4688d4 call 4699fc 2624->2654 2655 468888-4688c4 call 40b24c call 4699fc * 2 call 46989c 2624->2655 2671 4686d7-4686da 2628->2671 2672 4686dc-4686e0 2628->2672 2631->2632 2685 468965-46896f call 414a44 2632->2685 2686 468915-468938 call 42a040 call 40b24c 2632->2686 2633->2632 2642 46880f-468813 2633->2642 2687 4687c4-4687c8 2639->2687 2640->2687 2653 468815-46882b call 40b24c 2642->2653 2682 46885e-468862 2653->2682 2683 46882d-468859 call 42a05c call 4699fc call 46989c 2653->2683 2654->2632 2655->2632 2660->2661 2673 468664-468676 call 406ac4 2660->2673 2661->2592 2661->2600 2671->2599 2672->2599 2672->2628 2673->2661 2696 468678-468682 2673->2696 2682->2653 2688 468864 2682->2688 2683->2632 2697 468974-468993 call 414a44 2685->2697 2711 468943-468952 call 414a44 2686->2711 2712 46893a-468941 2686->2712 2694 4687d3-4687d5 2687->2694 2695 4687ca-4687d1 2687->2695 2688->2632 2701 4687dc-4687e0 2694->2701 2695->2694 2695->2701 2696->2661 2702 468684 2696->2702 2713 468995-4689b8 call 42a040 call 469b5c 2697->2713 2714 4689bd-4689e0 call 47c26c call 403450 2697->2714 2701->2609 2701->2611 2702->2661 2711->2697 2712->2711 2717 468954-468963 call 414a44 2712->2717 2713->2714 2730 4689e2-4689eb 2714->2730 2731 4689fc-468a05 2714->2731 2717->2697 2730->2731 2732 4689ed-4689fa call 47c440 2730->2732 2733 468a07-468a19 call 403684 2731->2733 2734 468a1b-468a2b call 403494 2731->2734 2741 468a3d-468a54 call 414b18 2732->2741 2733->2734 2742 468a2d-468a38 call 403494 2733->2742 2734->2741 2746 468a56-468a5d 2741->2746 2747 468a8a-468a94 call 414a44 2741->2747 2742->2741 2748 468a5f-468a68 2746->2748 2749 468a6a-468a74 call 42b0e4 2746->2749 2753 468a99-468abe call 403400 * 3 2747->2753 2748->2749 2751 468a79-468a88 call 414a44 2748->2751 2749->2751 2751->2753
                                                                                                            APIs
                                                                                                              • Part of subcall function 004958CC: GetWindowRect.USER32(00000000), ref: 004958E2
                                                                                                            • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00467773
                                                                                                              • Part of subcall function 0041D6B0: GetObjectA.GDI32(?,00000018,0046778D), ref: 0041D6DB
                                                                                                              • Part of subcall function 00467180: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                                              • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                                              • Part of subcall function 00467180: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                                              • Part of subcall function 00466B40: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                                              • Part of subcall function 00495B50: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00495B5A
                                                                                                              • Part of subcall function 0042ED38: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                                              • Part of subcall function 0042ED38: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                                              • Part of subcall function 0049581C: GetDC.USER32(00000000), ref: 0049583E
                                                                                                              • Part of subcall function 0049581C: SelectObject.GDI32(?,00000000), ref: 00495864
                                                                                                              • Part of subcall function 0049581C: ReleaseDC.USER32(00000000,?), ref: 004958B5
                                                                                                              • Part of subcall function 00495B40: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00495B4A
                                                                                                            • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0227FBF4,02281954,?,?,02281984,?,?,022819D4,?), ref: 004683FD
                                                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 0046840E
                                                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00468426
                                                                                                              • Part of subcall function 0042A05C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A072
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectReleaseSelectSendSystemUserWindow
                                                                                                            • String ID: $(Default)$STOPIMAGE$%H
                                                                                                            • API String ID: 3231140908-2624782221
                                                                                                            • Opcode ID: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                                            • Instruction ID: 1a3196d4b4984e68f3522cc8585b165e0004af585c118fa25862355e2bbb38c0
                                                                                                            • Opcode Fuzzy Hash: cd61aa661d0cbe35304877807cea77ca0702e96d718fc27b010991c92e86a780
                                                                                                            • Instruction Fuzzy Hash: 95F2C6346005248FCB00EF69D9D9F9973F1BF49304F1582BAE5049B36ADB74AC46CB9A
                                                                                                            Function 00474F88 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 00474FE1
                                                                                                            • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750BE
                                                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,004750F2,?,?,0049C1E0,00000000), ref: 004750CC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                            • String ID: unins$unins???.*
                                                                                                            • API String ID: 3541575487-1009660736
                                                                                                            • Opcode ID: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                                            • Instruction ID: 191fa049ef1442540897bd6b232d6b1da598bf4afdbbee48782243349675ce5a
                                                                                                            • Opcode Fuzzy Hash: 490a2bf6f62b777b12f8bb075fd261ec892e44da2a65e6c72c5e66397d3a6b60
                                                                                                            • Instruction Fuzzy Hash: 95315074A00548ABCB10EB65CD81BDEB7A9DF45304F50C0B6E40CAB3A2DB789F418B59
                                                                                                            Function 00452A60 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452A9D
                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,00452AC3,?,?,-00000001,00000000), ref: 00452AA5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileFindFirstLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 873889042-0
                                                                                                            • Opcode ID: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                                            • Instruction ID: 3e58272229af866f17ac5928e9872a720c3be2d4903e778e839a846eb7d55d53
                                                                                                            • Opcode Fuzzy Hash: 9c675a8f1f28b386d0fa8c71b8ecb41695e84785a8bb79b0d9bc0322d07a8b6a
                                                                                                            • Instruction Fuzzy Hash: 94F0F971A04604AB8B10EF669D4149EF7ACEB8672571046BBFC14E3282DAB84E0485A8
                                                                                                            Function 0046E0E4 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetVersion.KERNEL32(?,0046E17A), ref: 0046E0EE
                                                                                                            • CoCreateInstance.OLE32(00499B98,00000000,00000001,00499BA8,?,?,0046E17A), ref: 0046E10A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateInstanceVersion
                                                                                                            • String ID:
                                                                                                            • API String ID: 1462612201-0
                                                                                                            • Opcode ID: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                                            • Instruction ID: e32462cabb755f907f5de1887460af807d545ab7c9798ff14e002636b2035e3f
                                                                                                            • Opcode Fuzzy Hash: 323ef6e325584454da74969db5385277b15969f7569c16a340aaa36caeb4eadb
                                                                                                            • Instruction Fuzzy Hash: 90F0A7352812009FEB10975ADC86B8937C47B22315F50007BE04497292D2BD94C0471F
                                                                                                            Function 00408568 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale
                                                                                                            • String ID:
                                                                                                            • API String ID: 2299586839-0
                                                                                                            • Opcode ID: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                                            • Instruction ID: 8daab3ef8e56b0da8b8c23f45c5b5388ad46b50bd825570c2d348c61856efc62
                                                                                                            • Opcode Fuzzy Hash: 64da881718ef9bfb5c3691e8182369eeaf442f2681d4624e7b5adc518b999176
                                                                                                            • Instruction Fuzzy Hash: BFE0223170021466C311AA2A9C86AEAB34C9758310F00427FB904E73C2EDB89E4042A8
                                                                                                            Function 00423B84 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424151,?,00000000,0042415C), ref: 00423BAE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: NtdllProc_Window
                                                                                                            • String ID:
                                                                                                            • API String ID: 4255912815-0
                                                                                                            • Opcode ID: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                                            • Instruction ID: a748582893d7571d6ac8bdbe819d0a8fbf5f36db2d3505b6f19a51c7a0bbae16
                                                                                                            • Opcode Fuzzy Hash: 03c86555d74cd6010afd77b9e61a524e96c156e733cd5bd8e2feacc4387cef90
                                                                                                            • Instruction Fuzzy Hash: 47F0B979205608AF8B40DF99C588D4ABBE8AB4C260B058195B988CB321C234ED808F90
                                                                                                            Function 0045559C Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: NameUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2645101109-0
                                                                                                            • Opcode ID: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                                            • Instruction ID: 9f318ec9847dd9a6abcb639c8bc611599857aea0b867fcad4bfaeec6bdb042bf
                                                                                                            • Opcode Fuzzy Hash: 969018677e36c7ee3cac7a31a88a81c68082f6a067fe28717e4d5eb0c099a74a
                                                                                                            • Instruction Fuzzy Hash: 8FD0C27230470473CB00AA689C825AA35CD8B84305F00483E3CC5DA2C3FABDDA485756
                                                                                                            Function 0042F520 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F53C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: NtdllProc_Window
                                                                                                            • String ID:
                                                                                                            • API String ID: 4255912815-0
                                                                                                            • Opcode ID: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                                            • Instruction ID: 7ca9c19e24a5def9c493c34941f9da96f9ca037215ec7a65a90973bf7a04e639
                                                                                                            • Opcode Fuzzy Hash: 9e43cbcd657a147b44e82c26281af1c584f356d37a2e763e4ec43db1fd6d4cd6
                                                                                                            • Instruction Fuzzy Hash: FCD09E7120011D7B9B00DE99E840D6B33AD9B88710B909925F945D7642D634ED9197A5
                                                                                                            Function 0046F058 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 500registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 844 46f058-46f08a 845 46f0a7 844->845 846 46f08c-46f093 844->846 847 46f0ae-46f0e6 call 403634 call 403738 call 42dec0 845->847 848 46f095-46f09c 846->848 849 46f09e-46f0a5 846->849 856 46f101-46f12a call 403738 call 42dde4 847->856 857 46f0e8-46f0fc call 403738 call 42dec0 847->857 848->845 848->849 849->847 865 46f12c-46f135 call 46ed28 856->865 866 46f13a-46f163 call 46ee44 856->866 857->856 865->866 870 46f175-46f178 call 403400 866->870 871 46f165-46f173 call 403494 866->871 875 46f17d-46f1c8 call 46ee44 call 42c3fc call 46ee8c call 46ee44 870->875 871->875 884 46f1de-46f1ff call 45559c call 46ee44 875->884 885 46f1ca-46f1dd call 46eeb4 875->885 892 46f255-46f25c 884->892 893 46f201-46f254 call 46ee44 call 431404 call 46ee44 call 431404 call 46ee44 884->893 885->884 894 46f25e-46f29b call 431404 call 46ee44 call 431404 call 46ee44 892->894 895 46f29c-46f2a3 892->895 893->892 894->895 897 46f2e4-46f309 call 40b24c call 46ee44 895->897 898 46f2a5-46f2e3 call 46ee44 * 3 895->898 919 46f30b-46f316 call 47c26c 897->919 920 46f318-46f321 call 403494 897->920 898->897 929 46f326-46f331 call 478e04 919->929 920->929 934 46f333-46f338 929->934 935 46f33a 929->935 936 46f33f-46f509 call 403778 call 46ee44 call 47c26c call 46ee8c call 403494 call 40357c * 2 call 46ee44 call 403494 call 40357c * 2 call 46ee44 call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c call 46ee8c call 47c26c 934->936 935->936 999 46f51f-46f52d call 46eeb4 936->999 1000 46f50b-46f51d call 46ee44 936->1000 1004 46f532 999->1004 1005 46f533-46f57c call 46eeb4 call 46eee8 call 46ee44 call 47c26c call 46ef4c 1000->1005 1004->1005 1016 46f5a2-46f5af 1005->1016 1017 46f57e-46f5a1 call 46eeb4 * 2 1005->1017 1019 46f5b5-46f5bc 1016->1019 1020 46f67e-46f685 1016->1020 1017->1016 1021 46f5be-46f5c5 1019->1021 1022 46f629-46f638 1019->1022 1023 46f687-46f6bd call 494cec 1020->1023 1024 46f6df-46f6f5 RegCloseKey 1020->1024 1021->1022 1026 46f5c7-46f5eb call 430bcc 1021->1026 1029 46f63b-46f648 1022->1029 1023->1024 1026->1029 1039 46f5ed-46f5ee 1026->1039 1030 46f65f-46f678 call 430c08 call 46eeb4 1029->1030 1031 46f64a-46f657 1029->1031 1042 46f67d 1030->1042 1031->1030 1035 46f659-46f65d 1031->1035 1035->1020 1035->1030 1041 46f5f0-46f616 call 40b24c call 479630 1039->1041 1047 46f623-46f625 1041->1047 1048 46f618-46f61e call 430bcc 1041->1048 1042->1020 1047->1041 1050 46f627 1047->1050 1048->1047 1050->1029
                                                                                                            APIs
                                                                                                              • Part of subcall function 0046EE44: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                                              • Part of subcall function 0046EEB4: RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                                            • RegCloseKey.ADVAPI32(?,0046F6FD,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046F748,?,?,0049C1E0,00000000), ref: 0046F6F0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Value$Close
                                                                                                            • String ID: " /SILENT$5.5.3 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
                                                                                                            • API String ID: 3391052094-3342197833
                                                                                                            • Opcode ID: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                                            • Instruction ID: 0d1426ff9ce9a688a4d167ea33859b9e50b28094dc6fe7db73e07d6bdcf854ec
                                                                                                            • Opcode Fuzzy Hash: 41e5a022c9dfc144d242315d0234d20c9f1df57cded100a3ade253d049a3cf6c
                                                                                                            • Instruction Fuzzy Hash: D1125935A001089BDB04EF95E881ADE73F5EB48304F24817BE8506B366EB79AD45CF5E
                                                                                                            Function 00492848 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1051 492848-49287c call 403684 1054 49287e-49288d call 446f9c Sleep 1051->1054 1055 492892-49289f call 403684 1051->1055 1060 492d22-492d3c call 403420 1054->1060 1061 4928ce-4928db call 403684 1055->1061 1062 4928a1-4928c4 call 446ff8 call 403738 FindWindowA call 447278 1055->1062 1070 49290a-492917 call 403684 1061->1070 1071 4928dd-492905 call 446ff8 call 403738 FindWindowA call 447278 1061->1071 1081 4928c9 1062->1081 1079 492919-49295b call 446f9c * 4 SendMessageA call 447278 1070->1079 1080 492960-49296d call 403684 1070->1080 1071->1060 1079->1060 1089 4929bc-4929c9 call 403684 1080->1089 1090 49296f-4929b7 call 446f9c * 4 PostMessageA call 4470d0 1080->1090 1081->1060 1098 492a18-492a25 call 403684 1089->1098 1099 4929cb-492a13 call 446f9c * 4 SendNotifyMessageA call 4470d0 1089->1099 1090->1060 1111 492a52-492a5f call 403684 1098->1111 1112 492a27-492a4d call 446ff8 call 403738 RegisterClipboardFormatA call 447278 1098->1112 1099->1060 1127 492a61-492a9b call 446f9c * 3 SendMessageA call 447278 1111->1127 1128 492aa0-492aad call 403684 1111->1128 1112->1060 1127->1060 1140 492aaf-492aef call 446f9c * 3 PostMessageA call 4470d0 1128->1140 1141 492af4-492b01 call 403684 1128->1141 1140->1060 1151 492b48-492b55 call 403684 1141->1151 1152 492b03-492b43 call 446f9c * 3 SendNotifyMessageA call 4470d0 1141->1152 1162 492baa-492bb7 call 403684 1151->1162 1163 492b57-492b75 call 446ff8 call 42e394 1151->1163 1152->1060 1174 492bb9-492be5 call 446ff8 call 403738 call 446f9c GetProcAddress 1162->1174 1175 492c31-492c3e call 403684 1162->1175 1183 492b87-492b95 GetLastError call 447278 1163->1183 1184 492b77-492b85 call 447278 1163->1184 1208 492c21-492c2c call 4470d0 1174->1208 1209 492be7-492c1c call 446f9c * 2 call 447278 call 4470d0 1174->1209 1189 492c40-492c61 call 446f9c FreeLibrary call 4470d0 1175->1189 1190 492c66-492c73 call 403684 1175->1190 1195 492b9a-492ba5 call 447278 1183->1195 1184->1195 1189->1060 1201 492c98-492ca5 call 403684 1190->1201 1202 492c75-492c93 call 446ff8 call 403738 CreateMutexA 1190->1202 1195->1060 1217 492cdb-492ce8 call 403684 1201->1217 1218 492ca7-492cd9 call 48ccc8 call 403574 call 403738 OemToCharBuffA call 48cce0 1201->1218 1202->1060 1208->1060 1209->1060 1227 492cea-492d1c call 48ccc8 call 403574 call 403738 CharToOemBuffA call 48cce0 1217->1227 1228 492d1e 1217->1228 1218->1060 1227->1060 1228->1060
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(00000000,00000000,00492D3D,?,?,?,?,00000000,00000000,00000000), ref: 00492888
                                                                                                            • FindWindowA.USER32(00000000,00000000), ref: 004928B9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FindSleepWindow
                                                                                                            • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                                            • API String ID: 3078808852-3310373309
                                                                                                            • Opcode ID: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                                            • Instruction ID: 092cd3663c6e49ee7eb77a287a3c2ed341282e51176ce6ebc4a466309821376d
                                                                                                            • Opcode Fuzzy Hash: 543bbb3fa16e1ad260fa6bca8d7f7bf65573201bf2c1e3a3e9abb38e798cd817
                                                                                                            • Instruction Fuzzy Hash: D9C182A0B042003BDB14BF3E9D4551F59A99F95708B119A3FB446EB78BCE7CEC0A4359
                                                                                                            Function 00483A7C Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1621 483a7c-483aa1 GetModuleHandleA GetProcAddress 1622 483b08-483b0d GetSystemInfo 1621->1622 1623 483aa3-483ab9 GetNativeSystemInfo GetProcAddress 1621->1623 1624 483b12-483b1b 1622->1624 1623->1624 1625 483abb-483ac6 GetCurrentProcess 1623->1625 1626 483b2b-483b32 1624->1626 1627 483b1d-483b21 1624->1627 1625->1624 1634 483ac8-483acc 1625->1634 1630 483b4d-483b52 1626->1630 1628 483b23-483b27 1627->1628 1629 483b34-483b3b 1627->1629 1632 483b29-483b46 1628->1632 1633 483b3d-483b44 1628->1633 1629->1630 1632->1630 1633->1630 1634->1624 1636 483ace-483ad5 call 45271c 1634->1636 1636->1624 1639 483ad7-483ae4 GetProcAddress 1636->1639 1639->1624 1640 483ae6-483afd GetModuleHandleA GetProcAddress 1639->1640 1640->1624 1641 483aff-483b06 1640->1641 1641->1624
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                                            • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                                            • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483B0D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                                            • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                                            • API String ID: 2230631259-2623177817
                                                                                                            • Opcode ID: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                                            • Instruction ID: d1db678d6bd555fecb25ccca0b477ef677e73c145b16f55f8d8b06b946339d0c
                                                                                                            • Opcode Fuzzy Hash: 7dca9948a1095c4364ab55fa8ed369d502b26d1142efbcbd424e95be4cda74f5
                                                                                                            • Instruction Fuzzy Hash: 7F1181C0204741A4DA00BFB94D45B6F65889B11F2AF040C7B6840AA287EABCEF44A76E
                                                                                                            Function 00468D88 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1647 468d88-468dc0 call 47c26c 1650 468dc6-468dd6 call 478e24 1647->1650 1651 468fa2-468fbc call 403420 1647->1651 1656 468ddb-468e20 call 4078f4 call 403738 call 42de1c 1650->1656 1662 468e25-468e27 1656->1662 1663 468e2d-468e42 1662->1663 1664 468f98-468f9c 1662->1664 1665 468e57-468e5e 1663->1665 1666 468e44-468e52 call 42dd4c 1663->1666 1664->1651 1664->1656 1668 468e60-468e82 call 42dd4c call 42dd64 1665->1668 1669 468e8b-468e92 1665->1669 1666->1665 1668->1669 1688 468e84 1668->1688 1671 468e94-468eb9 call 42dd4c * 2 1669->1671 1672 468eeb-468ef2 1669->1672 1691 468ebb-468ec4 call 4314f8 1671->1691 1692 468ec9-468edb call 42dd4c 1671->1692 1674 468ef4-468f06 call 42dd4c 1672->1674 1675 468f38-468f3f 1672->1675 1689 468f16-468f28 call 42dd4c 1674->1689 1690 468f08-468f11 call 4314f8 1674->1690 1677 468f41-468f75 call 42dd4c * 3 1675->1677 1678 468f7a-468f90 RegCloseKey 1675->1678 1677->1678 1688->1669 1689->1675 1700 468f2a-468f33 call 4314f8 1689->1700 1690->1689 1691->1692 1692->1672 1704 468edd-468ee6 call 4314f8 1692->1704 1700->1675 1704->1672
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegCloseKey.ADVAPI32(?,00468FA2,?,?,00000001,00000000,00000000,00468FBD,?,00000000,00000000,?), ref: 00468F8B
                                                                                                            Strings
                                                                                                            • Inno Setup: User Info: Name, xrefs: 00468F47
                                                                                                            • %s\%s_is1, xrefs: 00468E05
                                                                                                            • Inno Setup: No Icons, xrefs: 00468E73
                                                                                                            • Inno Setup: Deselected Tasks, xrefs: 00468F19
                                                                                                            • Inno Setup: Selected Components, xrefs: 00468EAA
                                                                                                            • Inno Setup: Selected Tasks, xrefs: 00468EF7
                                                                                                            • Inno Setup: Deselected Components, xrefs: 00468ECC
                                                                                                            • Inno Setup: Setup Type, xrefs: 00468E9A
                                                                                                            • Inno Setup: User Info: Serial, xrefs: 00468F6D
                                                                                                            • Inno Setup: User Info: Organization, xrefs: 00468F5A
                                                                                                            • Inno Setup: App Path, xrefs: 00468E4A
                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468DE7
                                                                                                            • Inno Setup: Icon Group, xrefs: 00468E66
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpen
                                                                                                            • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                            • API String ID: 47109696-1093091907
                                                                                                            • Opcode ID: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                                            • Instruction ID: 069c4cdb4b1287edb5c1b702bebeb6c44c7684ad2aa17a57d1fdfe9a2539746b
                                                                                                            • Opcode Fuzzy Hash: b9928a5b5c0cf6c1dc91f6627cbb06318d05b30c5d76f15ccadbaf9fdfcb7506
                                                                                                            • Instruction Fuzzy Hash: 6B51A330A006449BCB15DB65D881BDEB7F5EB48304F50857EE840AB391EB79AF01CB59
                                                                                                            Function 0047C66C Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 187COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                              • Part of subcall function 0042D898: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00453DB4,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5), ref: 0042D8AB
                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                              • Part of subcall function 0042D8F0: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                                              • Part of subcall function 0042D8F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                                            • SHGetKnownFolderPath.SHELL32(00499D30,00008000,00000000,?,00000000,0047C942), ref: 0047C846
                                                                                                            • CoTaskMemFree.OLE32(?,0047C88B), ref: 0047C87E
                                                                                                              • Part of subcall function 0042D208: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DA3E,00000000,0042DAD0,?,?,?,0049B628,00000000,00000000), ref: 0042D233
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                            • API String ID: 3771764029-544719455
                                                                                                            • Opcode ID: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                                            • Instruction ID: 88e29a10730232d74bbdb0c5b7d00c3ea12cf2700f44d19641833b453bfd909d
                                                                                                            • Opcode Fuzzy Hash: 23963da8b4b34a95ffd58041a931adf40c150fbdd8371ea61f0364dbdea36cdf
                                                                                                            • Instruction Fuzzy Hash: 1461CF74A00204AFDB10EBA5D8C2A9E7B69EB44319F90C47FE404A7392DB3C9A44CF5D
                                                                                                            Function 00423874 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 98windowregistryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1949 423874-42387e 1950 4239a7-4239ab 1949->1950 1951 423884-4238a6 call 41f3c4 GetClassInfoA 1949->1951 1954 4238d7-4238e0 GetSystemMetrics 1951->1954 1955 4238a8-4238bf RegisterClassA 1951->1955 1957 4238e2 1954->1957 1958 4238e5-4238ef GetSystemMetrics 1954->1958 1955->1954 1956 4238c1-4238d2 call 408cbc call 40311c 1955->1956 1956->1954 1957->1958 1960 4238f1 1958->1960 1961 4238f4-423950 call 403738 call 4062e8 call 403400 call 42364c SetWindowLongA 1958->1961 1960->1961 1972 423952-423965 call 424178 SendMessageA 1961->1972 1973 42396a-423998 GetSystemMenu DeleteMenu * 2 1961->1973 1972->1973 1973->1950 1975 42399a-4239a2 DeleteMenu 1973->1975 1975->1950
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041F3C4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                                            • GetClassInfoA.USER32(00400000,0042367C), ref: 0042389F
                                                                                                            • RegisterClassA.USER32(00499630), ref: 004238B7
                                                                                                            • GetSystemMetrics.USER32(00000000), ref: 004238D9
                                                                                                            • GetSystemMetrics.USER32(00000001), ref: 004238E8
                                                                                                            • SetWindowLongA.USER32(00410460,000000FC,0042368C), ref: 00423944
                                                                                                            • SendMessageA.USER32(00410460,00000080,00000001,00000000), ref: 00423965
                                                                                                            • GetSystemMenu.USER32(00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 00423970
                                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C,0041EDA4), ref: 0042397F
                                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042398C
                                                                                                            • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410460,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239A2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                                            • String ID: |6B
                                                                                                            • API String ID: 183575631-3009739247
                                                                                                            • Opcode ID: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                                                            • Instruction ID: 5979ac727d64f3fe5c9a0a43452729076f54e0f9e4c251b9a4c28f9d6bed272f
                                                                                                            • Opcode Fuzzy Hash: 0318a091630d13b60d0a3e6aa49d41dd0f32c1053a4a49f7651c07b17dd5309d
                                                                                                            • Instruction Fuzzy Hash: E63152B17402006AEB10AF69DC82F6A37989B14709F60017BFA44EF2D7C6BDED40876D
                                                                                                            Function 0047CE78 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1977 47ce78-47cece call 42c3fc call 4035c0 call 47cb3c call 4525d8 1986 47ced0-47ced5 call 453344 1977->1986 1987 47ceda-47cee9 call 4525d8 1977->1987 1986->1987 1991 47cf03-47cf09 1987->1991 1992 47ceeb-47cef1 1987->1992 1995 47cf20-47cf48 call 42e394 * 2 1991->1995 1996 47cf0b-47cf11 1991->1996 1993 47cf13-47cf1b call 403494 1992->1993 1994 47cef3-47cef9 1992->1994 1993->1995 1994->1991 1999 47cefb-47cf01 1994->1999 2003 47cf6f-47cf89 GetProcAddress 1995->2003 2004 47cf4a-47cf6a call 4078f4 call 453344 1995->2004 1996->1993 1996->1995 1999->1991 1999->1993 2006 47cf95-47cfb2 call 403400 * 2 2003->2006 2007 47cf8b-47cf90 call 453344 2003->2007 2004->2003 2007->2006
                                                                                                            APIs
                                                                                                            • GetProcAddress.KERNEL32(74590000,SHGetFolderPathA), ref: 0047CF7A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc
                                                                                                            • String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$]xI$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                                            • API String ID: 190572456-256906917
                                                                                                            • Opcode ID: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                                            • Instruction ID: ec9c61b31d03a4d18d2fa5da2167344019e511a33ceb5cf80618cf604467b355
                                                                                                            • Opcode Fuzzy Hash: c4b8d3d93c7f37bb14fa31bc5bbe574b3393d33fbabbe9beac26f258e91ad005
                                                                                                            • Instruction Fuzzy Hash: 20311D30E001499BCB10EFA5D5D1ADEB7B5EF44308F50847BE504E7281D778AE458B6D
                                                                                                            Function 0040631C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 2126 40631c-406336 GetModuleHandleA GetProcAddress 2127 406338 2126->2127 2128 40633f-40634c GetProcAddress 2126->2128 2127->2128 2129 406355-406362 GetProcAddress 2128->2129 2130 40634e 2128->2130 2131 406364-406366 SetProcessDEPPolicy 2129->2131 2132 406368-406369 2129->2132 2130->2129 2131->2132
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleModulePolicyProcess
                                                                                                            • String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
                                                                                                            • API String ID: 3256987805-3653653586
                                                                                                            • Opcode ID: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                                            • Instruction ID: 935c6a5f7b98c90e27654dc67135d8c1f882d2ad5d8c1b9d0efaf55941893a49
                                                                                                            • Opcode Fuzzy Hash: fb4db72500fb8039bf9e982fa136c472a352d03826636d66c2b82dec8efce00d
                                                                                                            • Instruction Fuzzy Hash: 97E02D90380702ACEA1032B20D82F3B144C9B54B69B26543B7D56B51C7D9BDDD7059BD
                                                                                                            Function 0041321B Relevance: 14.6, APIs: 6, Strings: 2, Instructions: 633COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                                            • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                                            • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LongWindow$Prop
                                                                                                            • String ID: 3A$yA
                                                                                                            • API String ID: 3887896539-3278460822
                                                                                                            • Opcode ID: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                                            • Instruction ID: bcb4e109f9bb3244d1d15a250a8b19338fc20a7c4ef9bfc7c396c8b3ff51cb63
                                                                                                            • Opcode Fuzzy Hash: d9856cee796f57cc1685d9958f98130356579251106e4d85d69cc018d86e5275
                                                                                                            • Instruction Fuzzy Hash: 8C22D06508E3C05FE31B9B74896A5D57FA0EE13325B1D45DFC4C28B1A3D21E8A8BC71A
                                                                                                            Function 00467180 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 141windowCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 2894 467180-46722a call 41461c call 41463c call 41461c call 41463c SHGetFileInfo 2903 46725f-46726a call 478e04 2894->2903 2904 46722c-467233 2894->2904 2909 46726c-4672b1 call 42c3fc call 40357c call 403738 ExtractIconA call 4670c0 2903->2909 2910 4672bb-4672ce call 47d33c 2903->2910 2904->2903 2905 467235-46725a ExtractIconA call 4670c0 2904->2905 2905->2903 2932 4672b6 2909->2932 2916 4672d0-4672da call 47d33c 2910->2916 2917 4672df-4672e3 2910->2917 2916->2917 2920 4672e5-467308 call 403738 SHGetFileInfo 2917->2920 2921 46733d-467371 call 403400 * 2 2917->2921 2920->2921 2930 46730a-467311 2920->2930 2930->2921 2931 467313-467338 ExtractIconA call 4670c0 2930->2931 2931->2921 2932->2921
                                                                                                            APIs
                                                                                                            • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467223
                                                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467249
                                                                                                              • Part of subcall function 004670C0: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00467158
                                                                                                              • Part of subcall function 004670C0: DestroyCursor.USER32(00000000), ref: 0046716E
                                                                                                            • ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004672A0
                                                                                                            • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467301
                                                                                                            • ExtractIconA.SHELL32(00400000,00000000,?), ref: 00467327
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                                            • String ID: c:\directory$shell32.dll$%H
                                                                                                            • API String ID: 3376378930-166502273
                                                                                                            • Opcode ID: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                                            • Instruction ID: 732e1a1751fb8a235258c93266195bfa595ebd68417bad8a6af0601d960a2915
                                                                                                            • Opcode Fuzzy Hash: d7a251f7ede599729126a20c6e5bc656e487c76ea0efebb03c6af550fa195c4c
                                                                                                            • Instruction Fuzzy Hash: 8A516070604244AFD710DF65CD8AFDFB7A8EB48308F1081A6F80897351D6789E81DA59
                                                                                                            Function 0042F560 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetActiveWindow.USER32 ref: 0042F58F
                                                                                                            • GetFocus.USER32 ref: 0042F597
                                                                                                            • RegisterClassA.USER32(004997AC), ref: 0042F5B8
                                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F68C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F5F6
                                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F63C
                                                                                                            • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F64D
                                                                                                            • SetFocus.USER32(00000000,00000000,0042F66F,?,?,?,00000001,00000000,?,00458352,00000000,0049B628), ref: 0042F654
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                                            • String ID: TWindowDisabler-Window
                                                                                                            • API String ID: 3167913817-1824977358
                                                                                                            • Opcode ID: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                                            • Instruction ID: c3989f54cd535b42bfd745bd8d6279a550c1ea008e6f4be51b2d228796931bcd
                                                                                                            • Opcode Fuzzy Hash: d82bdac47665a0423d7aef7e4f95abac113c6b4ba7ee72313a02f6ddbd37ff30
                                                                                                            • Instruction Fuzzy Hash: B021A170740710BAE310EF66AD43F1A76B8EB04B44F91853BF604AB2E1D7B86D0586AD
                                                                                                            Function 004531F0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                            • API String ID: 1646373207-2130885113
                                                                                                            • Opcode ID: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                                            • Instruction ID: a781b9bdaab79611976bfea65fa4e072d6e85bd62b4b6e26dfe65079d72397a7
                                                                                                            • Opcode Fuzzy Hash: d7661fd9f0913dad122060e2c1ded37189c483bc636f4dff06c0b7ded89dfa78
                                                                                                            • Instruction Fuzzy Hash: EA01D470240B00FED301AF63AD12F663A58D7557ABF6044BBFC14965C2C77C4A088E6D
                                                                                                            Function 00430940 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegisterClipboardFormatA.USER32(commdlg_help), ref: 00430948
                                                                                                            • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 00430957
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00430971
                                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00430992
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                                            • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                                            • API String ID: 4130936913-2943970505
                                                                                                            • Opcode ID: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                                            • Instruction ID: 0bd92e6c8c1c5a5b8444157758b44b4e11dae02c37acc47d2edddbd1fb793b69
                                                                                                            • Opcode Fuzzy Hash: 8a088dfdc0b2c62b7d21c5c596ec815df7ae76573c78c741c8a86d6eee6cb681
                                                                                                            • Instruction Fuzzy Hash: 22F012B0458340DEE300EB65994271E7BD0EF58718F50467FF498A6392D7795904CB5F
                                                                                                            Function 00455010 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C,00000000), ref: 004551BA
                                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0045522C,0045522C,?,0045522C), ref: 004551C7
                                                                                                              • Part of subcall function 00454F7C: WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                                              • Part of subcall function 00454F7C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                                              • Part of subcall function 00454F7C: GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                                              • Part of subcall function 00454F7C: CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                                            • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                                            • API String ID: 854858120-615399546
                                                                                                            • Opcode ID: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                                            • Instruction ID: 058baa7e90e176347c833b132b7c272bf8058e823d6e061bdbf2f6311869cd9e
                                                                                                            • Opcode Fuzzy Hash: 5ea26466aa0b1bd12af3311b8e232ebea4e464fdb3bb6eef9ccee3db0f285c88
                                                                                                            • Instruction Fuzzy Hash: 41516D34B0074DABCF10EFA5D852BDEBBB9AF44305F50447BB804B7292D7789A098B59
                                                                                                            Function 0042368C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                                            • OemToCharA.USER32(?,?), ref: 0042375C
                                                                                                            • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Char$FileIconLoadLowerModuleName
                                                                                                            • String ID: 2$MAINICON
                                                                                                            • API String ID: 3935243913-3181700818
                                                                                                            • Opcode ID: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                                                            • Instruction ID: 339a64ebbf2375270c19ef2cfa2d714624ee8dcb7e06b01b5ae6522dc3b50067
                                                                                                            • Opcode Fuzzy Hash: cdc8d4d12959e52a4e35ddab44250c7989461c9b781fe211d3ab07d5faa44346
                                                                                                            • Instruction Fuzzy Hash: 243181B0A042549ADF10EF29D8C57C67BA8AF14308F4441BAE844DB393D7BED988CB59
                                                                                                            Function 00495508 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 00495519
                                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                                            • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                                            Strings
                                                                                                            • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00495546
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                                            • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                                            • API String ID: 2948443157-222967699
                                                                                                            • Opcode ID: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                                            • Instruction ID: fbfe8d588f566b1ae935688c8d8bbf43f3780a3d17a9f30f48774e54417b88ea
                                                                                                            • Opcode Fuzzy Hash: 15e89f7ca813e7522845c960856b2cdc022ede195b48aa860a28df6e22a0f939
                                                                                                            • Instruction Fuzzy Hash: 98018476A04704BFEB05DBE9CC41E5EB7EDEB48714F614476F604E7281D678AE008B28
                                                                                                            Function 00418F38 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcessId.KERNEL32(00000000), ref: 00418F3D
                                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F5E
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00418F79
                                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00418F9A
                                                                                                              • Part of subcall function 004230C8: GetDC.USER32(00000000), ref: 0042311E
                                                                                                              • Part of subcall function 004230C8: EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                                              • Part of subcall function 004230C8: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                                              • Part of subcall function 004230C8: ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                                              • Part of subcall function 0042368C: LoadIconA.USER32(00400000,MAINICON), ref: 0042371C
                                                                                                              • Part of subcall function 0042368C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 00423749
                                                                                                              • Part of subcall function 0042368C: OemToCharA.USER32(?,?), ref: 0042375C
                                                                                                              • Part of subcall function 0042368C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FE6,00000000,?,?,?,00000001), ref: 0042379C
                                                                                                              • Part of subcall function 0041F118: GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                                              • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                                              • Part of subcall function 0041F118: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                                              • Part of subcall function 0041F118: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                                              • Part of subcall function 0041F118: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                                            • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                                            • API String ID: 316262546-2767913252
                                                                                                            • Opcode ID: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                                            • Instruction ID: d883a59e21ed3b4d0722d018b4a025de81f9e45e1fd093e44b5ebaba0e30331f
                                                                                                            • Opcode Fuzzy Hash: b417f06b73a7dba032b12b865c8ed9bc6bb92a8bfb887f153b822e9fb73695be
                                                                                                            • Instruction Fuzzy Hash: AC115E706142419AD740FF76A94235A7BE1DF64308F40943FF448A7391DB3DA9448B5F
                                                                                                            Function 0041363C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 00413664
                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0041366F
                                                                                                            • GetWindowLongA.USER32(?,000000F4), ref: 00413681
                                                                                                            • SetWindowLongA.USER32(?,000000F4,?), ref: 00413694
                                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136AB
                                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 004136C2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LongWindow$Prop
                                                                                                            • String ID:
                                                                                                            • API String ID: 3887896539-0
                                                                                                            • Opcode ID: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                                            • Instruction ID: 06abc153636d574f2b9d5b42ed2ef1d3d1989bf2b09c04f5b7aa0ee96fd2bcf7
                                                                                                            • Opcode Fuzzy Hash: 7846fecbe383e6d7fdaea4169180c186d89bab15e88d328ea810806c298c4441
                                                                                                            • Instruction Fuzzy Hash: 1011C975100244BFEF00DF9DDC84EDA37E8EB19364F144666B958DB2A2D738DD908B68
                                                                                                            Function 004556D8 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045586F,?,00000000,004558AF), ref: 004557B5
                                                                                                            Strings
                                                                                                            • PendingFileRenameOperations2, xrefs: 00455784
                                                                                                            • PendingFileRenameOperations, xrefs: 00455754
                                                                                                            • WININIT.INI, xrefs: 004557E4
                                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455738
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpen
                                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                                            • API String ID: 47109696-2199428270
                                                                                                            • Opcode ID: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                                            • Instruction ID: 0fa1da25f67206326559771d92c7e47b52ca8d856d575cc5f046ac455f5bab2a
                                                                                                            • Opcode Fuzzy Hash: 430bb035026106b65f85e2b07525b73901b650abba9068f13605831850c1f819
                                                                                                            • Instruction Fuzzy Hash: FF51A974E006089FDB10EF61DC51AEEB7B9EF44305F50857BEC04A7292DB78AE49CA58
                                                                                                            Function 0047CB94 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC27
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,0047CCEA,?,?,00000000,0049B628,00000000,00000000,?,00498539,00000000,004986E2,?,00000000), ref: 0047CC30
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                            • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                                            • API String ID: 1375471231-2952887711
                                                                                                            • Opcode ID: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                                            • Instruction ID: e6577b7b61f0e0a35e690824fc442bae28cfcbc8f9cba78cd8161ab2dbd6b5d1
                                                                                                            • Opcode Fuzzy Hash: 18b8a6295044c03030742dd0e1a53df86680db30ea117cbe65252b99daff8b31
                                                                                                            • Instruction Fuzzy Hash: E6412834A001099BDB11EFA5D882ADEB7B5EF45309F50843BE81577392DA38AE05CF68
                                                                                                            Function 00423A84 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                                            • GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                                            • SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$EnumLongWindows
                                                                                                            • String ID: \AB
                                                                                                            • API String ID: 4191631535-3948367934
                                                                                                            • Opcode ID: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                                            • Instruction ID: 3ad81c14f5822e14e615a382c86082b2427cd388a5bf15486a3129e996868218
                                                                                                            • Opcode Fuzzy Hash: 1f387ac1e946b45dcea70a74dde1e3cf145931a60cd8f654a7309261af8d74ee
                                                                                                            • Instruction Fuzzy Hash: D6115E70700610ABDB109F28E885F5677E8EB08715F10026AF994AB2E3C378ED41CB59
                                                                                                            Function 0042DE44 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DE50
                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DFEB,00000000,0042E003,?,?,?,?,00000006,?,00000000,0049785D), ref: 0042DE6B
                                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DE71
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressDeleteHandleModuleProc
                                                                                                            • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                                            • API String ID: 588496660-1846899949
                                                                                                            • Opcode ID: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                                            • Instruction ID: e7246de0df94fba710dd2820c0ca51643d5dd29c3ac0bea476bad59fd0e01b91
                                                                                                            • Opcode Fuzzy Hash: ed1542cdc99e60fdc1e6205037aed1b156b4601bf62b1d4fa5b097ff81e7402e
                                                                                                            • Instruction Fuzzy Hash: 73E06DF1B41B30AAD72022657C8ABA33729DB75365F658437F105AD19183FC2C50CE9D
                                                                                                            Function 0046BB10 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            • Need to restart Windows? %s, xrefs: 0046BE95
                                                                                                            • NextButtonClick, xrefs: 0046BC4C
                                                                                                            • PrepareToInstall failed: %s, xrefs: 0046BE6E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                                            • API String ID: 0-2329492092
                                                                                                            • Opcode ID: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                                            • Instruction ID: 9de4db1b3e70fdebeced0fe060001c857bcfdee1b2562a0b259a97201065334e
                                                                                                            • Opcode Fuzzy Hash: bdd1d04c3163942a70fe70ce9c3da0cdba0d450c43b562cfb8d9ec13df8274e7
                                                                                                            • Instruction Fuzzy Hash: 46D12F34A00108DFCB14EB99D985AED77F5EF49304F5440BAE404EB362D778AE85CB9A
                                                                                                            Function 00483084 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetActiveWindow.USER32(?,?,00000000,004833D5), ref: 004831A8
                                                                                                            • SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 00483246
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ActiveChangeNotifyWindow
                                                                                                            • String ID: $Need to restart Windows? %s
                                                                                                            • API String ID: 1160245247-4200181552
                                                                                                            • Opcode ID: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                                            • Instruction ID: 855c298393525188f16043e43c8caa20abfdb27870bda8f6eb76b0fac02994d3
                                                                                                            • Opcode Fuzzy Hash: 00647651f2966e2d6c0ac7b0a33bca8c0b176202d01056079f53a530b7b0addf
                                                                                                            • Instruction Fuzzy Hash: 7E918F34A042449FDB10EF69D8C6BAD77E0AF55708F5484BBE8009B362DB78AE05CB5D
                                                                                                            Function 0046FADC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                            • GetLastError.KERNEL32(00000000,0046FCD9,?,?,0049C1E0,00000000), ref: 0046FBB6
                                                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046FC30
                                                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046FC55
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                                            • String ID: Creating directory: %s
                                                                                                            • API String ID: 2451617938-483064649
                                                                                                            • Opcode ID: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                                            • Instruction ID: a145aa70eb484b5d007d33f2831cd5d1f219efd535f83afbcf26a903565c5eea
                                                                                                            • Opcode Fuzzy Hash: 1aeec9fc70de36e1ff09abf6a814cf31666cc4aa73152690207cd024c9806782
                                                                                                            • Instruction Fuzzy Hash: 7D512F74E00248ABDB01DBA5D982ADEBBF4AF49304F50847AEC50B7382D7795E08CB59
                                                                                                            Function 00454DD4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 00454E82
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454F48), ref: 00454EEC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressByteCharMultiProcWide
                                                                                                            • String ID: SfcIsFileProtected$sfc.dll
                                                                                                            • API String ID: 2508298434-591603554
                                                                                                            • Opcode ID: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                                            • Instruction ID: 709c5f55a6f5f8285c9c61fd8393730e8027effee09c5548c71846991cac34f0
                                                                                                            • Opcode Fuzzy Hash: bb559eb6b427547f50ac361efa45694dce53a5facbc0d321e4ca2111cb35c873
                                                                                                            • Instruction Fuzzy Hash: E8419671A04318DBEB20EF59DC85B9DB7B8AB4430DF5041B7A908A7293D7785F88CA1C
                                                                                                            Function 00416410 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                                            • UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                                            • RegisterClassA.USER32(?), ref: 004164CE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Class$InfoRegisterUnregister
                                                                                                            • String ID: @
                                                                                                            • API String ID: 3749476976-2766056989
                                                                                                            • Opcode ID: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                                                            • Instruction ID: c77080f262680b7bd3c4c6a37e0a11d074b1995aa9dd52ebf92fb76dd285a693
                                                                                                            • Opcode Fuzzy Hash: df6e090dea74baa5ac925230d828a7230e5c2d53f0976f0f8597eebaced2b944
                                                                                                            • Instruction Fuzzy Hash: B8316D702042409BD720EF69C981B9B77E5AB89308F04457FF949DB392DB39DD44CB6A
                                                                                                            Function 00452510 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • 74D41520.VERSION(00000000,?,?,?,00497900), ref: 00452530
                                                                                                            • 74D41500.VERSION(00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 0045255D
                                                                                                            • 74D41540.VERSION(?,004525D4,?,?,00000000,?,00000000,?,00000000,004525AB,?,00000000,?,?,?,00497900), ref: 00452577
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: D41500D41520D41540
                                                                                                            • String ID: %E
                                                                                                            • API String ID: 2153611984-175436132
                                                                                                            • Opcode ID: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                                            • Instruction ID: f5dca5bfdad9659449235e2d7a4f424f1fde127461be4d93bb02e754cc996b3f
                                                                                                            • Opcode Fuzzy Hash: f18440ec30d6a8502c14f0dca7f1c7caee1af709ad5b943411f89d38bbe9f821
                                                                                                            • Instruction Fuzzy Hash: D2218331A00608BFDB01DAA989519AFB7FCEB4A300F554477F800E7242E6B9AE04C765
                                                                                                            Function 0044B38C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 0044B401
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0044B424
                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0044B457
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ObjectReleaseSelect
                                                                                                            • String ID: %H
                                                                                                            • API String ID: 1831053106-1959103961
                                                                                                            • Opcode ID: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                                            • Instruction ID: 242bcfed98594cbdcf51f2854abe94a1ec69c13560e3a72339b9f4254961cc58
                                                                                                            • Opcode Fuzzy Hash: 613a86eb96bd964688756472f8397141eb38d2c4caf6b0936a0a8cf616000036
                                                                                                            • Instruction Fuzzy Hash: 62216570A04248AFEB15DFA6C841B9F7BB9DB49304F11806AF904A7682D778D940CB59
                                                                                                            Function 0044B0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B14C,?,%H,?,?), ref: 0044B11E
                                                                                                            • DrawTextW.USER32(?,?,00000000,?,?), ref: 0044B131
                                                                                                            • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B165
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DrawText$ByteCharMultiWide
                                                                                                            • String ID: %H
                                                                                                            • API String ID: 65125430-1959103961
                                                                                                            • Opcode ID: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                                            • Instruction ID: fec6fabf6d030a51aab30bc406273ff78954f96defe81b00f374268ef7e1f253
                                                                                                            • Opcode Fuzzy Hash: b9978a40832644be7eb99ff61e6ae739c3599586bb389d309c0d7579617ef2e1
                                                                                                            • Instruction Fuzzy Hash: 2A11CBB27046047FEB00DB6A9C91D6F77ECDB49750F10817BF504D72D0D6399E018669
                                                                                                            Function 0042ED38 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EDC5
                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                            • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EDA8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                                            • String ID: SHAutoComplete$shlwapi.dll
                                                                                                            • API String ID: 395431579-1506664499
                                                                                                            • Opcode ID: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                                            • Instruction ID: e807f919b0f5f47641bb36d66eaae5ab4e0d2818c3cb02d7dc2bc8906116ae4e
                                                                                                            • Opcode Fuzzy Hash: 42f9dcb05abbf77f41298dba7160eccf52289638d4fdae2cac913a0c4d077c72
                                                                                                            • Instruction Fuzzy Hash: 3311A330B00319BBD711EB62FD85B8E7BA8DB55704F90447BF40066291DBB8AE05C65D
                                                                                                            Function 00455A10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegCloseKey.ADVAPI32(?,00455A7B,?,00000001,00000000), ref: 00455A6E
                                                                                                            Strings
                                                                                                            • PendingFileRenameOperations2, xrefs: 00455A4F
                                                                                                            • PendingFileRenameOperations, xrefs: 00455A40
                                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455A1C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpen
                                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                            • API String ID: 47109696-2115312317
                                                                                                            • Opcode ID: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                                            • Instruction ID: e9356c19d9a7d2c1b22529064790e486fb2be540b5bf165494b3782c633fa2c0
                                                                                                            • Opcode Fuzzy Hash: 336a8554af3216e9fad4f98949cc8fac3f30a8fbf7097481dd1a9e766711aba3
                                                                                                            • Instruction Fuzzy Hash: A3F0F671304A08BFDB04D661DC62A3B739CE744725FB08167F800CB682EA7CBD04915C
                                                                                                            Function 00472154 Relevance: 6.3, APIs: 4, Instructions: 272fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472301
                                                                                                            • FindClose.KERNEL32(000000FF,0047232C,00472325,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 0047231F
                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1), ref: 00472423
                                                                                                            • FindClose.KERNEL32(000000FF,0047244E,00472447,?,00000000,?,0049C1E0,00000000,00472515,?,00000000,?,00000000,?,004726E1,?), ref: 00472441
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 2066263336-0
                                                                                                            • Opcode ID: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                                            • Instruction ID: ff38abb04fb96460afd2c3532f2e87b2ffc4f25b99c166b2ff4046d92e8ebf4f
                                                                                                            • Opcode Fuzzy Hash: 5852171562c0697583dfb39d2e83bd074d15792751f52c1309e6650eed3a72c0
                                                                                                            • Instruction Fuzzy Hash: 3EC14C3490424D9FCF11DFA5C981ADEBBB8FF49304F5080AAE808B3251D7789A46CF58
                                                                                                            Function 0047FCF8 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?,00000000), ref: 0047FD9E
                                                                                                            • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?,?), ref: 0047FDAB
                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147), ref: 0047FEA0
                                                                                                            • FindClose.KERNEL32(000000FF,0047FECB,0047FEC4,?,?,?,?,00000000,0047FEF1,?,00000000,00000000,?,?,00481147,?), ref: 0047FEBE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 2066263336-0
                                                                                                            • Opcode ID: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                                            • Instruction ID: 5570db9595827249690d4c596f970be035a6cb65fb6c4bc3b070d2a6e7e06d26
                                                                                                            • Opcode Fuzzy Hash: 56ee50c7cb7fa2545e62f1cc5d9b880787f4aaf8996287a3801f00069153f90f
                                                                                                            • Instruction Fuzzy Hash: 34512D71A006499FCB21DF65CC45ADEB7B8EB88319F1084BAA818A7351D7389F89CF54
                                                                                                            Function 00421274 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetMenu.USER32(00000000), ref: 00421361
                                                                                                            • SetMenu.USER32(00000000,00000000), ref: 0042137E
                                                                                                            • SetMenu.USER32(00000000,00000000), ref: 004213B3
                                                                                                            • SetMenu.USER32(00000000,00000000), ref: 004213CF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu
                                                                                                            • String ID:
                                                                                                            • API String ID: 3711407533-0
                                                                                                            • Opcode ID: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                                            • Instruction ID: 68e231870b0c3442489bede8fdcf2aa1db34e154331db007d9f14f65c1163b63
                                                                                                            • Opcode Fuzzy Hash: 011238806e8749de4259267c2425fab43e1a23b2a7ed20fe69ece2c0c4e48eae
                                                                                                            • Instruction Fuzzy Hash: 4641AE3070425447EB20EA3AA9857AB36925B20308F4841BFFC40DF7A3CA7CDD45839D
                                                                                                            Function 00416B42 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(?,?,?,?), ref: 00416B84
                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00416B9E
                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00416BB8
                                                                                                            • CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BE0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$CallMessageProcSendTextWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 601730667-0
                                                                                                            • Opcode ID: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                            • Instruction ID: 4ea48ea5c9b96bae81565ca4ce64eb356f32bd46963e120bc97d04dec40f2685
                                                                                                            • Opcode Fuzzy Hash: 072521f5090f240ceba025e33949739ce14f97652003165ca459573163e57643
                                                                                                            • Instruction Fuzzy Hash: BC115171705604AFD710EE6ECC84E8777ECEF49310715887EB959CB612C638F8418B69
                                                                                                            Function 004230C8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 0042311E
                                                                                                            • EnumFontsA.GDI32(00000000,00000000,00423068,00410460,00000000,?,?,00000000,?,00418FD3,00000000,?,?,?,00000001), ref: 00423131
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00423139
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00423144
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsDeviceEnumFontsRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 2698912916-0
                                                                                                            • Opcode ID: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                                            • Instruction ID: a9d24610abdaa6694e735d00c6d38f20457f2ac5f1468c421a1b182fb2ef8db9
                                                                                                            • Opcode Fuzzy Hash: ae3b46bdf4144dece9088701a44aa945a4d7eb571b2044da6dc5baa79edeb2ca
                                                                                                            • Instruction Fuzzy Hash: 8D01CC716042102AE700BF6A5C82B9B3AA49F01319F40027BF808AA3C6DA7E980547AE
                                                                                                            Function 0045C264 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                            • FlushFileBuffers.KERNEL32(?), ref: 0045C499
                                                                                                            Strings
                                                                                                            • NumRecs range exceeded, xrefs: 0045C396
                                                                                                            • EndOffset range exceeded, xrefs: 0045C3CD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$BuffersFlush
                                                                                                            • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                                            • API String ID: 3593489403-659731555
                                                                                                            • Opcode ID: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                                            • Instruction ID: 69b4fe9c868b7cadc716880164946defc5db249b4b2908964217ac1dcc813941
                                                                                                            • Opcode Fuzzy Hash: 7579bb90891bfddca92618b6050c99dc039493a8a69e6275f659694612805aa2
                                                                                                            • Instruction Fuzzy Hash: 4F617334A002588FDB25DF25C891AD9B7B5AF49305F0084DAED88AB353D674AEC8CF54
                                                                                                            Function 00498BA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                                              • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                                              • Part of subcall function 0040631C: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498BC0), ref: 00406322
                                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040632F
                                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406345
                                                                                                              • Part of subcall function 0040631C: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040635B
                                                                                                              • Part of subcall function 0040631C: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00498BC0), ref: 00406366
                                                                                                              • Part of subcall function 004063C4: 6F551CD0.COMCTL32(00498BC5), ref: 004063C4
                                                                                                              • Part of subcall function 00410764: GetCurrentThreadId.KERNEL32 ref: 004107B2
                                                                                                              • Part of subcall function 00419040: GetVersion.KERNEL32(00498BDE), ref: 00419040
                                                                                                              • Part of subcall function 0044F744: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                                              • Part of subcall function 0044F744: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                                              • Part of subcall function 0044FC10: GetVersionExA.KERNEL32(0049B790,00498BF7), ref: 0044FC1F
                                                                                                              • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 00453210
                                                                                                              • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453216
                                                                                                              • Part of subcall function 004531F0: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,00453289,?,?,?,?,00000000,?,00498C06), ref: 0045322A
                                                                                                              • Part of subcall function 004531F0: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453230
                                                                                                              • Part of subcall function 004570B4: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                                              • Part of subcall function 004645F4: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                                              • Part of subcall function 004645F4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                                              • Part of subcall function 0046CDF0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                                              • Part of subcall function 00478C20: GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                                              • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                                              • Part of subcall function 00478C20: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                                              • Part of subcall function 00483F88: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                                              • Part of subcall function 00495BB4: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 00495BCD
                                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00498C6C), ref: 00498C3E
                                                                                                              • Part of subcall function 00498968: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                                              • Part of subcall function 00498968: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                                              • Part of subcall function 004244D4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 004244F3
                                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                            • ShowWindow.USER32(?,00000005,00000000,00498C6C), ref: 00498C9F
                                                                                                              • Part of subcall function 004825C8: SetActiveWindow.USER32(?), ref: 00482676
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
                                                                                                            • String ID: Setup
                                                                                                            • API String ID: 3870281231-3839654196
                                                                                                            • Opcode ID: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                                            • Instruction ID: b535e719d7157e93998cc10f536158ae488692691c8c4e2dacdcbf5c7207fd3e
                                                                                                            • Opcode Fuzzy Hash: 1594606edc507442c6549f9e4ebdc225aad6ad90dc9fc57b5479ce1c0ac5814d
                                                                                                            • Instruction Fuzzy Hash: 873104312446409FD601BBBBFD5392D3B94EF8A728B91447FF80496693DE3C68508A7E
                                                                                                            Function 0042DC00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DC3C
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DD38), ref: 0042DCAC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue
                                                                                                            • String ID: $=H
                                                                                                            • API String ID: 3660427363-3538597426
                                                                                                            • Opcode ID: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                                            • Instruction ID: 5bd1c55a509b6dee259ffcee94d68868fe84ce326e73fb4cf6662c4527ef549e
                                                                                                            • Opcode Fuzzy Hash: b62dc44b296d1c54c0416b8d239270b5fe200a79a82432283709fd1da487490f
                                                                                                            • Instruction Fuzzy Hash: 9D414171E00529ABDB11DF95D881BAFB7B8EB04704F918466E810F7241D778AE00CBA5
                                                                                                            Function 00453A24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A6A
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,00453B13,?,?,00000000,0049B628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00453A73
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                            • String ID: .tmp
                                                                                                            • API String ID: 1375471231-2986845003
                                                                                                            • Opcode ID: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                                            • Instruction ID: 2c169793aa1d4e8b0ae54453200dd0eeecd34c8d921a2c5b894f13e1de3ec917
                                                                                                            • Opcode Fuzzy Hash: 4f6049b6d10a737b279f92eac6e2edda550f3c0c3ab583747f9ca22f4cbd9d09
                                                                                                            • Instruction Fuzzy Hash: BD213575A002089BDB01EFA5C8429DEB7B8EF49305F50457BE801B7343DA3CAF058B69
                                                                                                            Function 00483F88 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00483A8D
                                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00483A9A
                                                                                                              • Part of subcall function 00483A7C: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00483AA8
                                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00483AB0
                                                                                                              • Part of subcall function 00483A7C: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00483ABC
                                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00483ADD
                                                                                                              • Part of subcall function 00483A7C: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00483AF0
                                                                                                              • Part of subcall function 00483A7C: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00483AF6
                                                                                                              • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483DB6
                                                                                                              • Part of subcall function 00483DA8: GetVersionExA.KERNEL32(0000009C,?,00483FBA,00000000,0048408F,?,?,?,?,?,00498C29), ref: 00483E08
                                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00484077
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleModuleVersion$CurrentErrorInfoLibraryLoadModeNativeProcessSystem
                                                                                                            • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                                            • API String ID: 3869789854-2936008475
                                                                                                            • Opcode ID: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                                            • Instruction ID: 8066e8dcbdf9c94243579ba2519058cd674f052446347c20ec70bbddfecd8a90
                                                                                                            • Opcode Fuzzy Hash: 24bfbd8baf235fcbd7404033d7799f009542697b8823181e059981251f96c700
                                                                                                            • Instruction Fuzzy Hash: 1021F1B06103116AC700BFBE599611B3BA5EB9570C380893FF904DB391D77E68149B6E
                                                                                                            Function 0047C5D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047C92C,00000000,0047C942), ref: 0047C63A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Close
                                                                                                            • String ID: RegisteredOrganization$RegisteredOwner
                                                                                                            • API String ID: 3535843008-1113070880
                                                                                                            • Opcode ID: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                                            • Instruction ID: 97ba07fcc0924f8d698b93a4c32f8f7a3ceb81663af41ec066a5e596666b9838
                                                                                                            • Opcode Fuzzy Hash: fe32ea5757c181cea0fad4739291adb7fe5cb56e5df920aee23c3361bee12acf
                                                                                                            • Instruction Fuzzy Hash: F5F09060700204ABEB00D6A8ACD2BAA3769D750304F60907FA1058F382C679EE019B5C
                                                                                                            Function 0047524C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475271
                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00475483), ref: 00475288
                                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateErrorFileHandleLast
                                                                                                            • String ID: CreateFile
                                                                                                            • API String ID: 2528220319-823142352
                                                                                                            • Opcode ID: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                                            • Instruction ID: b0794b45f16520e4762b2717541816a935241bfc2e667b83be7f23d95be3de9d
                                                                                                            • Opcode Fuzzy Hash: 2c7b4fae504844472e6a07c4f0bcfda842c0d735d71c8af9ff6e211e096a353b
                                                                                                            • Instruction Fuzzy Hash: 99E06D702403447FEA10FA69CCC6F4A77989B04728F10C152BA48AF3E3C5B9FC808A58
                                                                                                            Function 0042DE1C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Open
                                                                                                            • String ID: System\CurrentControlSet\Control\Windows$;H
                                                                                                            • API String ID: 71445658-2565060666
                                                                                                            • Opcode ID: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                                            • Instruction ID: 60e43675bb36a9eef4a15598a1848ca3f705ecc445ee8c9fe52fc6b05f1352bb
                                                                                                            • Opcode Fuzzy Hash: a11f376e1d034aeb0d9ae53f60934921bcd728bb93d306f1768079d63b1ffdfe
                                                                                                            • Instruction Fuzzy Hash: 29D09E72950128BB9B009A89DC41DFB775DDB15760F45441BF9049B141C5B4AC5197E4
                                                                                                            Function 004570B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00457044: CoInitialize.OLE32(00000000), ref: 0045704A
                                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                            • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004570D8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressErrorInitializeLibraryLoadModeProc
                                                                                                            • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                                            • API String ID: 2906209438-2320870614
                                                                                                            • Opcode ID: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                                            • Instruction ID: 7fba65882f7194314ab185764ebfac318737a269d5660949bdaf7135ffc1064c
                                                                                                            • Opcode Fuzzy Hash: 9d30f7af3022304e39d9007edb753d7b8512de14ad0f58a0e87bb64db50414c6
                                                                                                            • Instruction Fuzzy Hash: ECC08CA074860093CB40B3FA344320E1841AB8071FB10C07F7A04A66C7DE3C88088B2E
                                                                                                            Function 0046CDF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042E394: SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                              • Part of subcall function 0042E394: LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                            • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046CE05
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressErrorLibraryLoadModeProc
                                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                            • API String ID: 2492108670-2683653824
                                                                                                            • Opcode ID: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                                            • Instruction ID: c0603f0a452a360a01ce82207306765f02b8a986224f2e77b24b084cc810d505
                                                                                                            • Opcode Fuzzy Hash: 4f35c33f472421c4948a2ce6cac4f72f28d005e98571f32e7a9733a845a9f857
                                                                                                            • Instruction Fuzzy Hash: 44B092A060074086DB40B7A298D262B28269740319B20843BB0CC9BA95EB3E88240B9F
                                                                                                            Function 0044852C Relevance: 4.7, APIs: 3, Instructions: 151libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,00000000,00448709), ref: 0044864C
                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004486CD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressLibraryLoadProc
                                                                                                            • String ID:
                                                                                                            • API String ID: 2574300362-0
                                                                                                            • Opcode ID: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                                            • Instruction ID: 2eaa58f6359003fef9dee836e3db1fa56ae38c906bc4f4c4d93ca6671f7cd4fb
                                                                                                            • Opcode Fuzzy Hash: 36521cdfc13aba0ae9c44214f12a2e14552a0dd36018004eb1372d311063bccb
                                                                                                            • Instruction Fuzzy Hash: 14515470E00105AFDB40EF95C491AAEBBF9EB45319F11817FE414BB391DA389E05CB99
                                                                                                            Function 00481C7C Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemMenu.USER32(00000000,00000000,00000000,00481DB4), ref: 00481D4C
                                                                                                            • AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00481D5D
                                                                                                            • AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00481D75
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$Append$System
                                                                                                            • String ID:
                                                                                                            • API String ID: 1489644407-0
                                                                                                            • Opcode ID: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                                            • Instruction ID: 44f8b16540ed1c6eecf525242fd074403e334eda66194076213ef08da8c10300
                                                                                                            • Opcode Fuzzy Hash: 672145a2bbc7660003845448dd8fd579fca208d3c81716cd1fbd69936c4767aa
                                                                                                            • Instruction Fuzzy Hash: 3431D4307043441AD721FB769C82BAE3A989F15318F54483FF901AB2E3CA7CAD09879D
                                                                                                            Function 004243FC Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424412
                                                                                                            • TranslateMessage.USER32(?), ref: 0042448F
                                                                                                            • DispatchMessageA.USER32(?), ref: 00424499
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$DispatchPeekTranslate
                                                                                                            • String ID:
                                                                                                            • API String ID: 4217535847-0
                                                                                                            • Opcode ID: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                            • Instruction ID: 8eae6dca0d2455523dd27ca57e4683f6da326f6f2f90499d04ddbfd693f83f9d
                                                                                                            • Opcode Fuzzy Hash: d4f7142ddfb2041a0388c754ad29f8297397d1c5d5a6fc901d04af05902ad934
                                                                                                            • Instruction Fuzzy Hash: E3116D303043205AEB20FA24A941B9F73D4DFC5758F80481EFC99972C2D77D9D49879A
                                                                                                            Function 00416644 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetPropA.USER32(00000000,00000000), ref: 0041666A
                                                                                                            • SetPropA.USER32(00000000,00000000), ref: 0041667F
                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166A6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Prop$Window
                                                                                                            • String ID:
                                                                                                            • API String ID: 3363284559-0
                                                                                                            • Opcode ID: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                                            • Instruction ID: 6913c5f2d07602d921388148e43cadd8ab2d6729f30613f48e4cae6714e3bc13
                                                                                                            • Opcode Fuzzy Hash: 953367bc10487f5f00132df45b9f4bdc07709d3a3f88142737615a1cc8063318
                                                                                                            • Instruction Fuzzy Hash: ACF01271701210ABDB10AB599C85FA732DCAB09714F16057AB905EF286C778DC40C7A8
                                                                                                            Function 0041EE54 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsWindowVisible.USER32(?), ref: 0041EE64
                                                                                                            • IsWindowEnabled.USER32(?), ref: 0041EE6E
                                                                                                            • EnableWindow.USER32(?,00000000), ref: 0041EE94
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$EnableEnabledVisible
                                                                                                            • String ID:
                                                                                                            • API String ID: 3234591441-0
                                                                                                            • Opcode ID: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                                            • Instruction ID: 3b4cb379701a2ac24b7d0c87bf9454d2e26b3d0fb89a85d5a5a22e513a73856b
                                                                                                            • Opcode Fuzzy Hash: 495d6a49dc4b54b7e424eeae3cce025a94256eba33976185de8149e812397146
                                                                                                            • Instruction Fuzzy Hash: EAE06DB5100301AAE301AB2BDC81B5B7A9CAB54350F05843BA9089B292D63ADC408B7C
                                                                                                            Function 00469F1C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetActiveWindow.USER32(?), ref: 0046A02D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ActiveWindow
                                                                                                            • String ID: PrepareToInstall
                                                                                                            • API String ID: 2558294473-1101760603
                                                                                                            • Opcode ID: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                                            • Instruction ID: c614f106b7f0b4f176116dff63491c2ec041d81708a05a15fd0d1780f22877a3
                                                                                                            • Opcode Fuzzy Hash: bd917288eaa5b05b1195b505efe9116c2b5c78d32a5283306b423edfa0bdd6d5
                                                                                                            • Instruction Fuzzy Hash: 97A14934A00109DFCB00EF99D986EDEB7F5AF48304F5540B6E404AB362D738AE45CB9A
                                                                                                            Function 0046C4BC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: /:*?"<>|
                                                                                                            • API String ID: 0-4078764451
                                                                                                            • Opcode ID: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                                            • Instruction ID: 6c3526c54916fe71946563460b5bd12015a165326d65a32731909bc5939f884d
                                                                                                            • Opcode Fuzzy Hash: e5c60157bcf2278da473a52dbfa3e40327efacf8e8b2ac4b78b74c9d89147c88
                                                                                                            • Instruction Fuzzy Hash: CF71C370A40215BADB10E766DCD2FEE7BA19F05308F148067F580BB292E779AD458B4E
                                                                                                            Function 004825C8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetActiveWindow.USER32(?), ref: 00482676
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ActiveWindow
                                                                                                            • String ID: InitializeWizard
                                                                                                            • API String ID: 2558294473-2356795471
                                                                                                            • Opcode ID: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                                            • Instruction ID: 0fabbc08dbff6a0894d12042e1c617afa12541eacf44f0b659f2bb150b55c2ae
                                                                                                            • Opcode Fuzzy Hash: 3626624f3147e861467950174f06d96ecabfee41a1c9b8d7b2440425271d24be
                                                                                                            • Instruction Fuzzy Hash: 8311C130204200AFD700EB69EED6B1A37E4E764328F60057BE404D72A1EA796C41CB5E
                                                                                                            Function 0047C4F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047C740,00000000,0047C942), ref: 0047C539
                                                                                                            Strings
                                                                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047C509
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpen
                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                                            • API String ID: 47109696-1019749484
                                                                                                            • Opcode ID: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                                            • Instruction ID: acdf9366f140fa0c09696ff4b806567a5b27613a006b44f2785fa8682630d216
                                                                                                            • Opcode Fuzzy Hash: 058bbab7ea9ec86a0dd33160b35f36364f977485e0abef3b7f9f2bc760079b92
                                                                                                            • Instruction Fuzzy Hash: 6CF0823170052477DA00A65E6C82B9FA79D8B84758F60403FF508DB242EABAEE0243EC
                                                                                                            Function 0046EE44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,0047620E,?,0049C1E0,?,0046F15B,?,00000000,0046F6F6,?,_is1), ref: 0046EE67
                                                                                                            Strings
                                                                                                            • Inno Setup: Setup Version, xrefs: 0046EE65
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Value
                                                                                                            • String ID: Inno Setup: Setup Version
                                                                                                            • API String ID: 3702945584-4166306022
                                                                                                            • Opcode ID: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                                            • Instruction ID: 37dbbd71146fd60ed96ba35b84ff74d599aeccd68d0f9eb37ee109455dfe34ad
                                                                                                            • Opcode Fuzzy Hash: 80676ca53bf8d59feef104d4bc7cb567c816a54b460bafb4a4ed583678a3f251
                                                                                                            • Instruction Fuzzy Hash: B1E06D753012043FE710AA2B9C85F5BBADCDF88365F10403AB908DB392D578DD0181A9
                                                                                                            Function 0046EEB4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046F532,?,?,00000000,0046F6F6,?,_is1,?), ref: 0046EEC7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Value
                                                                                                            • String ID: NoModify
                                                                                                            • API String ID: 3702945584-1699962838
                                                                                                            • Opcode ID: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                                            • Instruction ID: 84621f748531697c6bb4a8e0450a59e651a2caf9945441e4ffcb8bd5fa838dfd
                                                                                                            • Opcode Fuzzy Hash: f40bfeae81701b53243146576d0ffb0e6a468f93b3df03c8cd4f9f1e738a44cb
                                                                                                            • Instruction Fuzzy Hash: F6E04FB4640308BFEB04DB55CD4AF6B77ECDB48714F10405ABA049B281E674FE00C669
                                                                                                            Function 0047E474 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetACP.KERNEL32(?,?,00000001,00000000,0047E753,?,-0000001A,00480609,-00000010,?,00000004,0000001B,00000000,00480956,?,0045DB68), ref: 0047E4EA
                                                                                                              • Part of subcall function 0042E31C: GetDC.USER32(00000000), ref: 0042E32B
                                                                                                              • Part of subcall function 0042E31C: EnumFontsA.GDI32(?,00000000,0042E308,00000000,00000000,0042E374,?,00000000,00000000,004809BD,?,?,00000001,00000000,00000002,00000000), ref: 0042E356
                                                                                                              • Part of subcall function 0042E31C: ReleaseDC.USER32(00000000,?), ref: 0042E36E
                                                                                                            • SendNotifyMessageA.USER32(0001041E,00000496,00002711,-00000001), ref: 0047E6BA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 2649214853-0
                                                                                                            • Opcode ID: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                                            • Instruction ID: a62c935d52da393e7312112ce75ddb0898731394ffd2a16b1d4fc3e518f8127d
                                                                                                            • Opcode Fuzzy Hash: 7f479caed6d506e1fedd37a3e9b8fbc918d7d672324c4412b746d2e8a14c4527
                                                                                                            • Instruction Fuzzy Hash: 5B5195746001049BC710FF67E98169A37E5EB58308B90C67BA8049B3A6DB3CED45CB9D
                                                                                                            Function 0047DD98 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 157COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047DF83,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047DF3D
                                                                                                              • Part of subcall function 0042CA00: GetSystemMetrics.USER32(0000002A), ref: 0042CA12
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMetricsMultiSystemWide
                                                                                                            • String ID: /G
                                                                                                            • API String ID: 224039744-2088674125
                                                                                                            • Opcode ID: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                                            • Instruction ID: 84c81a41a939c89cd5cf89585cf0d961f9543ff151f38a86aad590f5673b43e0
                                                                                                            • Opcode Fuzzy Hash: 9f8ad520ff63b3f089cafa147e7d8bbd1691bb3a433f158030b0d1014876a4d7
                                                                                                            • Instruction Fuzzy Hash: 53518070A04215AFDB21DF55D8C4FAA7BB8EF64318F118077E404AB3A1C778AE45CB99
                                                                                                            Function 0042DEC0 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DF6C
                                                                                                            • RegCloseKey.ADVAPI32(?,0042DFDD,?,00000000,00000000,00000000,00000000,00000000,0042DFD6,?,?,00000008,00000000,00000000,0042E003), ref: 0042DFD0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseEnum
                                                                                                            • String ID:
                                                                                                            • API String ID: 2818636725-0
                                                                                                            • Opcode ID: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                                            • Instruction ID: d62689c7b7995b9893119ef97773413105dd68debc8ff02f2d4f9d8a28cc91ff
                                                                                                            • Opcode Fuzzy Hash: 54e2847b2ed8cbec0c232d6556bf46b22f1e93997a90c035dd6b8310f6c19c74
                                                                                                            • Instruction Fuzzy Hash: DD31B270F04258AEDB11DFA6DD42BAEBBB9EB49304F91407BE501E6280D6785E01CA2D
                                                                                                            Function 00495A84 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00495508: GetDC.USER32(00000000), ref: 00495519
                                                                                                              • Part of subcall function 00495508: SelectObject.GDI32(00000000,00000000), ref: 0049553B
                                                                                                              • Part of subcall function 00495508: GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00495AB9), ref: 0049554F
                                                                                                              • Part of subcall function 00495508: GetTextMetricsA.GDI32(00000000,?), ref: 00495571
                                                                                                              • Part of subcall function 00495508: ReleaseDC.USER32(00000000,00000000), ref: 0049558E
                                                                                                            • MulDiv.KERNEL32(?,?,00000006), ref: 00495AFB
                                                                                                            • MulDiv.KERNEL32(?,?,0000000D), ref: 00495B10
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Text$ExtentMetricsObjectPointReleaseSelect
                                                                                                            • String ID:
                                                                                                            • API String ID: 844173074-0
                                                                                                            • Opcode ID: 0ae29da0906a83ea8dd71af8a3b995980c0d8de00cfc8428832f083f9a8e0037
                                                                                                            • Instruction ID: abe69acf9078cd54ec5aa8dad2b6463f40ee800cf76dae291ad797c0d2ca63cb
                                                                                                            • Opcode Fuzzy Hash: 0ae29da0906a83ea8dd71af8a3b995980c0d8de00cfc8428832f083f9a8e0037
                                                                                                            • Instruction Fuzzy Hash: FC21D6713012009FDB50DF69C8C5AA637E9EB89314F6446B9FD08CF29ADB35EC058B65
                                                                                                            Function 004527E8 Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 0045283C
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,?,00458278,00000000,00458260,?,?,?,00000000,00452862,?,?,?,00000001), ref: 00452844
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateErrorLastProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 2919029540-0
                                                                                                            • Opcode ID: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                                            • Instruction ID: fcc055d8c1a696a2a0db1e32a085008d871673fec5534948229a16d4440eefa6
                                                                                                            • Opcode Fuzzy Hash: 32d7980bd8ec2bee900e92c865b72ef71cfaa45d55aa0c85c0401d49ed696f28
                                                                                                            • Instruction Fuzzy Hash: A2113C72600208AF8B40DEA9DD41D9F77ECEB4E310B114567FD18D3241D678EE148B68
                                                                                                            Function 0040ADD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040ADF2
                                                                                                            • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040AF4F,00000000,0040AF67,?,?,?,00000000), ref: 0040AE03
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Resource$FindFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 4097029671-0
                                                                                                            • Opcode ID: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                                            • Instruction ID: 3d7a77417cef7b3885e8747e4544195f2de945da78ee84bb1155330bb8f828e3
                                                                                                            • Opcode Fuzzy Hash: 07387713778517d694c210176a4718dd0562bb365b6db4bb8115bda04798bcb6
                                                                                                            • Instruction Fuzzy Hash: 0301F771300700AFD700FF69EC52E1B77EDDB46714710807AF500AB3D1D639AC10966A
                                                                                                            Function 0041EEA4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                            • EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$CurrentEnumWindows
                                                                                                            • String ID:
                                                                                                            • API String ID: 2396873506-0
                                                                                                            • Opcode ID: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                                            • Instruction ID: bcaa23655132f8f2785c0a842f21b48ac99b37e3223c43442b01e3940dbd0cdf
                                                                                                            • Opcode Fuzzy Hash: 30aad164e0a195eeb96462141dc827bf49acbc8680001675c00c89b7ac155170
                                                                                                            • Instruction Fuzzy Hash: 31015B76A04604BFD706CF6BEC1199ABBE8E789720B22887BEC04D3690E7355C10DF18
                                                                                                            Function 00452C80 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00452CC2
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00452CE8), ref: 00452CCA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLastMove
                                                                                                            • String ID:
                                                                                                            • API String ID: 55378915-0
                                                                                                            • Opcode ID: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                                            • Instruction ID: 1f9035ddd188b097fe3d15476f32cd7793c58c8f4df07880d9fc6ba60e4ff235
                                                                                                            • Opcode Fuzzy Hash: 92f277caa9c3c56662d1ce6f28aaa0531c95695199337b3952b9b7b9e7465d28
                                                                                                            • Instruction Fuzzy Hash: 9401D671A04208AB8712EB799D4149EB7ECEB8A32575045BBFC04E3243EA785E048558
                                                                                                            Function 00452770 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527A9
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004527CF), ref: 004527B1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1375471231-0
                                                                                                            • Opcode ID: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                                            • Instruction ID: e3b373b60118a844676bb749001e6832c3b26a50706decb61b3ae2e0e224b701
                                                                                                            • Opcode Fuzzy Hash: 855e2e178366579e8cdbc9f044a0346376c594dce53ca60ac40061c8de66a150
                                                                                                            • Instruction Fuzzy Hash: 40F02871A00308BBCB01EF759D4259EB7E8EB4E311B2045B7FC04E3642E6B94E04859C
                                                                                                            Function 0042323C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00423249
                                                                                                            • LoadCursorA.USER32(00000000,00000000), ref: 00423273
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CursorLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 3238433803-0
                                                                                                            • Opcode ID: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                                            • Instruction ID: 5e34cf6406f075c2c63d733b1f02ef4b9a88184ee1572dc0f3c8875cc615d59b
                                                                                                            • Opcode Fuzzy Hash: 0c9a104e89a33193f60416200903d3bd70bbd31149720632682593485f60625b
                                                                                                            • Instruction Fuzzy Hash: 9EF0A711B04254AADA109E7E6CC0D6B72A8DF82735B61037BFA3EC72D1C62E1D414569
                                                                                                            Function 0042E394 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 0042E39E
                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,0042E3E8,?,00000000,0042E406,?,00008000), ref: 0042E3CD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                                            • String ID:
                                                                                                            • API String ID: 2987862817-0
                                                                                                            • Opcode ID: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                                            • Instruction ID: 14c2566281f292fbf4bc3f3871eddb8f7eb4f11f4d1149329263d7d1c8790498
                                                                                                            • Opcode Fuzzy Hash: 4bb5710dc3172506f3a82e57bec548632d1945d06b3d92e94bd16d63dfaa8550
                                                                                                            • Instruction Fuzzy Hash: 02F08970B147447FDB119F779CA241BBBECDB49B1175249B6F800A3591E53C4910C928
                                                                                                            Function 0047C88B Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SHGetKnownFolderPath.SHELL32(00499D40,00008000,00000000,?), ref: 0047C89B
                                                                                                            • CoTaskMemFree.OLE32(?,0047C8DE), ref: 0047C8D1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FolderFreeKnownPathTask
                                                                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                            • API String ID: 969438705-544719455
                                                                                                            • Opcode ID: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                                            • Instruction ID: f48ec61de784b6bea0373c7a91bc006da4a0813e938d35ae17fa89473a65de5f
                                                                                                            • Opcode Fuzzy Hash: c380859d91d2530b1710b7ab5da91f48806622674321ef44444f1ad2bc0d7433
                                                                                                            • Instruction Fuzzy Hash: 22E09230340604BFEB15EB61DC92F6977A8EB48B01B72847BF504E2680D67CAD00DB1C
                                                                                                            Function 004508F8 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 0045090E
                                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470149,?,00000000), ref: 00450916
                                                                                                              • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                            • String ID:
                                                                                                            • API String ID: 1156039329-0
                                                                                                            • Opcode ID: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                                            • Instruction ID: 32d43412562f4d6ab64aa8be608e77008e370c57458e4df53f7444e76f76d0cb
                                                                                                            • Opcode Fuzzy Hash: ec46a7bc9e5a7a34518fa7989fb6988307d7ef9dfce9dbcd61575ad1106d4b51
                                                                                                            • Instruction Fuzzy Hash: 0EE012E93042015BF700EA6599C1B2F22DCDB44315F00446ABD44CA28BE678CC048B29
                                                                                                            Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Virtual$AllocFree
                                                                                                            • String ID:
                                                                                                            • API String ID: 2087232378-0
                                                                                                            • Opcode ID: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                            • Instruction ID: 119661fe7174a079321c86e78af40791ac039b5eb8373b45468023a5ba433726
                                                                                                            • Opcode Fuzzy Hash: 94577317c2bcd4d3a70d22c0b2f2fc78c72c60cff144ef5375d29febf27e2799
                                                                                                            • Instruction Fuzzy Hash: F7F08272A0063067EB60596A4C81B5359859BC5B94F154076FD09FF3E9D6B58C0142A9
                                                                                                            Function 004085DC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00408712), ref: 004085FB
                                                                                                              • Part of subcall function 00406DEC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E09
                                                                                                              • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                            • String ID:
                                                                                                            • API String ID: 1658689577-0
                                                                                                            • Opcode ID: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                                            • Instruction ID: 9026c6f0acc6bf601755118861b832b1e3c4c92574a9a05948c89544872af2a3
                                                                                                            • Opcode Fuzzy Hash: 92125e52594e5bc8ee6d97e09480d95589045c4468e862feaba19903f63d3f1d
                                                                                                            • Instruction Fuzzy Hash: 47314E35E00109ABCB00EB55CC819EEB779EF84314F558577E815BB286EB38AA018B98
                                                                                                            Function 0041FB9C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC39
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoScroll
                                                                                                            • String ID:
                                                                                                            • API String ID: 629608716-0
                                                                                                            • Opcode ID: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                            • Instruction ID: 6365c2cd079840e4170b7c9ce409c3d873e807bce8729d2e10e5c00059922083
                                                                                                            • Opcode Fuzzy Hash: a0ce2aaa01497ac04468ea6ac7a83421c49688bcbeeff2d3e991700215f3b25f
                                                                                                            • Instruction Fuzzy Hash: D8214FB1608746AFC351DF3984407A6BBE4BB48344F14893EE498C3741E778E99ACBD6
                                                                                                            Function 0046C450 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                              • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                            • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046C4AE,?,00000000,?,?,0046C6C0,?,00000000,0046C734), ref: 0046C492
                                                                                                              • Part of subcall function 0041EF58: IsWindow.USER32(?), ref: 0041EF66
                                                                                                              • Part of subcall function 0041EF58: EnableWindow.USER32(?,00000001), ref: 0041EF75
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3319771486-0
                                                                                                            • Opcode ID: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                                            • Instruction ID: eef1953176fed27c4f60a3b97998f4e8fb1447464a393d6256780c84e8a913cd
                                                                                                            • Opcode Fuzzy Hash: 0af19ab3550c8734ef4e1cf2f84aef4c41dad365f35295dd8d2c2646a272cfa9
                                                                                                            • Instruction Fuzzy Hash: 5AF0B471248300BFE705DF62ECA6B35B6E8D748714F61047BF40886590E97D5844D51E
                                                                                                            Function 00441394 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3934441357-0
                                                                                                            • Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                            • Instruction ID: 51b66c86ab1fb2ed9abdb0db83839a26410808368eb32e0cb4295e2ee82716ff
                                                                                                            • Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
                                                                                                            • Instruction Fuzzy Hash: 09F04970608109EBBB1CCF58D0618AF7BA0EB48300F2080AFE907C7BA0D634AA80D658
                                                                                                            Function 00416550 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416585
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                            • Instruction ID: 158b8484bb218b41c698b3aa21f26e2dd86497bc01e640ef524e7c8f4c0ee3c6
                                                                                                            • Opcode Fuzzy Hash: b152e844846ae8a52721441d180559fdf16f7956a15d86c9ff4cf0dcda8b9698
                                                                                                            • Instruction Fuzzy Hash: 4BF019B2200510AFDB84DE9CD9C0F9773ECEB0C210B0481A6FA08CB21AD220EC108BB0
                                                                                                            Function 004149B4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149EF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2492992576-0
                                                                                                            • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                            • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                                            • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                            • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                                            Function 004507C4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450804
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                                            • Instruction ID: 52eb814c7c241dc182afdc6c3e242d4e4c9a4e6d94000e289351c80ae23ff87c
                                                                                                            • Opcode Fuzzy Hash: ce99838f7be0491c6923214398908b2fd93372403a84c7b432a549debe4dc153
                                                                                                            • Instruction Fuzzy Hash: 53E012B53541483EE780EEAD6C42F9777DC971A714F008037B998D7341D461DD158BA8
                                                                                                            Function 0042CCCC Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,0042CD14,?,00000001,?,?,00000000,?,0042CD66,00000000,00452A25,00000000,00452A46,?,00000000), ref: 0042CCF7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                                            • Instruction ID: d3c11148bbbe1678040d416a6bc301cfea82702c80b798926358c5e84281cc0e
                                                                                                            • Opcode Fuzzy Hash: 2e3447488e8940f063bbcfc4a9008e9bc81ad59ac090e4e62a8f5aa92ecca264
                                                                                                            • Instruction Fuzzy Hash: 80E065B1304304BFD701EB66EC92A5EBAACDB49754BA14876B50097592D5B86E008468
                                                                                                            Function 0042E8C8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FormatMessage
                                                                                                            • String ID:
                                                                                                            • API String ID: 1306739567-0
                                                                                                            • Opcode ID: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                                            • Instruction ID: fbc307da5c1359fbfbc351051067b699ae1438aedf6613c80dda169529e76e7e
                                                                                                            • Opcode Fuzzy Hash: 07eb917982e44065cc90d67cadef310e262c4caec6bcfbb1197f6d5f5d2cfc19
                                                                                                            • Instruction Fuzzy Hash: BCE0206278431116F2353416AC47B77150E43C0708F944027BB90DF3D3D6AF9945D25E
                                                                                                            Function 0041AF70 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTextExtentPointA.GDI32(?,00000000,00000000), ref: 0041AF9B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExtentPointText
                                                                                                            • String ID:
                                                                                                            • API String ID: 566491939-0
                                                                                                            • Opcode ID: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                                            • Instruction ID: 6b43be1268843882f9474f888990ee0a0f71ddbfb678ee1088bae751a0726d8f
                                                                                                            • Opcode Fuzzy Hash: fe3873e992a20e622ffaf78f93863b288a9be0a8311253c2d6346deae250c6a6
                                                                                                            • Instruction Fuzzy Hash: E3E086F13097102BD600E67E1DC19DB77DC8A483697148177F458E7392D62DDE1A43AE
                                                                                                            Function 004062E8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateWindowExA.USER32(00000000,0042367C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00406311
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 716092398-0
                                                                                                            • Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                            • Instruction ID: 53e57476791a39574122dfc8a3f58f2f78c4a621b5a82e38d1c80b15216a1e52
                                                                                                            • Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
                                                                                                            • Instruction Fuzzy Hash: EEE0FEB2214209BBDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972428275AC608B71
                                                                                                            Function 0042DDE4 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID:
                                                                                                            • API String ID: 2289755597-0
                                                                                                            • Opcode ID: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                                            • Instruction ID: 68673b5cf84413dff1d7ecec16939cb2303f89f305828e6cd22260af4b89741b
                                                                                                            • Opcode Fuzzy Hash: 296f4a6b1841180fcb6525c1425398a2afe0618770c3240f8adf4a5c8222c494
                                                                                                            • Instruction Fuzzy Hash: EDE07EB2610119AF9B40DE8CDC81EEB37ADAB1D350F404016FA08E7200C2B4EC519BB4
                                                                                                            Function 00454BF8 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindClose.KERNEL32(00000000,000000FF,0047096C,00000000,00471782,?,00000000,004717CB,?,00000000,00471904,?,00000000,?,00000000), ref: 00454C0E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseFind
                                                                                                            • String ID:
                                                                                                            • API String ID: 1863332320-0
                                                                                                            • Opcode ID: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                                            • Instruction ID: 5c2dbd3a099336849a47a332199978da45cb785deb8a29a76394180ab3bc5383
                                                                                                            • Opcode Fuzzy Hash: 6665614e34a0f7cff573ca1669b2a109aa27f3c0ddffd1931b228eca5c2d9aab
                                                                                                            • Instruction Fuzzy Hash: A1E09BB09097004BC715DF39858031A76D19FC9325F05C96AEC99CF3D7E77D84454617
                                                                                                            Function 0041467C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserCallbackDispatcher.NTDLL(004959E6,?,00495A08,?,?,00000000,004959E6,?,?), ref: 0041469B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2492992576-0
                                                                                                            • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                            • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                                            • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                            • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                                            Function 00406F10 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F24
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileWrite
                                                                                                            • String ID:
                                                                                                            • API String ID: 3934441357-0
                                                                                                            • Opcode ID: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                                            • Instruction ID: adeaf4ebd0e6cd94d64be6b3cb299443ba394f13a0b1cd3d8337db6b6af80796
                                                                                                            • Opcode Fuzzy Hash: 4c02731fe18b0a47ab7745946c5e8dd4c7dfafdb2aa22804bebcbb41d9412fbb
                                                                                                            • Instruction Fuzzy Hash: 53D012722091506AD220965A6C44EAB6BDCCBC5770F11063AB558C2181D7209C01C675
                                                                                                            Function 0042364C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 004235F8: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042360D
                                                                                                            • ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                              • Part of subcall function 00423628: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423644
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoParametersSystem$ShowWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3202724764-0
                                                                                                            • Opcode ID: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                                            • Instruction ID: 3e39ddd90fb628193caaea160b6f4ed5bf244f394cc2da11a07db6b12dca8b82
                                                                                                            • Opcode Fuzzy Hash: 749b279e1c5e0ab7b3e77853442b745bf30ea7cb0c28c018a636783dda1148f2
                                                                                                            • Instruction Fuzzy Hash: 34D05E123821703142307ABB280699B46EC8D822EB389043BB5449B312ED5DCE01116C
                                                                                                            Function 004242C4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: TextWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 530164218-0
                                                                                                            • Opcode ID: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                                            • Instruction ID: e359d8c046b4275bb87a72ac3440150ee0889cd0e7de0465f76ccf46c1161c2e
                                                                                                            • Opcode Fuzzy Hash: 968e2600307bd84f4d65718215a4df57ccfa9b7919b98356d7a542cd4e907fd2
                                                                                                            • Instruction Fuzzy Hash: 81D05EE27011602BCB01BAED54C4AC667CC9B8D25AB1840BBF904EF257D638CE40C398
                                                                                                            Function 00466B40 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00467828,00000000,00000000,00000000,0000000C,00000000), ref: 00466B58
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 2492992576-0
                                                                                                            • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                            • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                                            • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                            • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                                            Function 0042CD24 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,004515CB,00000000), ref: 0042CD2F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 3188754299-0
                                                                                                            • Opcode ID: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                                            • Instruction ID: 53db4a1afaa3b7bebcc80daf879f764776582c58df104e6651e2d127eece83ed
                                                                                                            • Opcode Fuzzy Hash: 699a035a793c66476b33cfcb292e18e8433149420fa0246697406cd7a61acf8b
                                                                                                            • Instruction Fuzzy Hash: 48C08CE03222001A9E60A6BD2CC551F06CC891423A3A41E3BB129EB2E2D23D88162818
                                                                                                            Function 00406EC0 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A6D4,0040CC80,?,00000000,?), ref: 00406EDD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                                            • Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
                                                                                                            • Opcode Fuzzy Hash: d487f09bce5ab2446fefe52ff91139140134d323c8d44495a9ab4cbc0f9c4527
                                                                                                            • Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C
                                                                                                            Function 0045092C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                              • Part of subcall function 004506B4: GetLastError.KERNEL32(004504D0,00450776,?,00000000,?,00497E2C,00000001,00000000,00000002,00000000,00497F8D,?,?,00000005,00000000,00497FC1), ref: 004506B7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorFileLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 734332943-0
                                                                                                            • Opcode ID: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                                            • Instruction ID: 9573b676cf6dd5fef234c73c81a1a5d02d78d5ca05287b50762f3c98dcfac2da
                                                                                                            • Opcode Fuzzy Hash: dfd6122944db5b319254e7b77af95d7469dcf5406d44b15aeae4525e96e42585
                                                                                                            • Instruction Fuzzy Hash: 1AC04CA5700211479F10A6BA85C1A0662D86A5D3157144066BD08CF207D668D8148A18
                                                                                                            Function 004072A8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CurrentDirectory
                                                                                                            • String ID:
                                                                                                            • API String ID: 1611563598-0
                                                                                                            • Opcode ID: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                            • Instruction ID: 2ee9fcf0c2ecb8048618371478a38130c752a95b947e2a8aefd026f579ab26ad
                                                                                                            • Opcode Fuzzy Hash: 9cfe1b671e2ded52e2a4f1899edd371c25323ab6eac1b77aed394817f5a1d109
                                                                                                            • Instruction Fuzzy Hash: 33B012E03D120A2BCA0079FE4CC192A00CC46292163401B3B3006EB1C3D83DC8180824
                                                                                                            Function 0042E3EF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(?,0042E40D), ref: 0042E400
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorMode
                                                                                                            • String ID:
                                                                                                            • API String ID: 2340568224-0
                                                                                                            • Opcode ID: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                                            • Instruction ID: 426ac138898b17598b25982f2c454791bd479401c65f9a69ae9baa170422678e
                                                                                                            • Opcode Fuzzy Hash: cb8e2ebd86b0ac1182f6c4657d989dfa6a466ad308997f4b3834ff3b1e7758f7
                                                                                                            • Instruction Fuzzy Hash: CDB09B7670C6105EE709D6D5B45552D63D4D7C57207E14477F010D2581D57D58054E18
                                                                                                            Function 004165EC Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DestroyWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 3375834691-0
                                                                                                            • Opcode ID: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                            • Instruction ID: 4f6e5339ba6c71e81ef5aec1f6829bfe42d3c8de95bc03762545e97b2cddf6f9
                                                                                                            • Opcode Fuzzy Hash: 1244af60e57b01067fe56da529b9c4312cbd500fa9ed17bad69dff1823a021af
                                                                                                            • Instruction Fuzzy Hash: 1AA00275501500AADA00E7B5D849F7E2298BB44204FD905F9714897056C57C99008B55
                                                                                                            Function 00448728 Relevance: 1.4, APIs: 1, Instructions: 158COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                                            • Instruction ID: 41a6872630840156d23f43a697f0b10540748f54e9aa1b8241e7bbe25a2b1888
                                                                                                            • Opcode Fuzzy Hash: 2f87504b9b3c5ef8a424e08888e9b878f09f15df180bfdf00abd21092ab1bc52
                                                                                                            • Instruction Fuzzy Hash: 73517574E002099FDB00EFA9C892AAFBBF5EB49314F50817AE500E7351DB389D41CB98
                                                                                                            Function 0041F3C4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDA4,?,0042388F,00423C0C,0041EDA4), ref: 0041F3E2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                                            • Instruction ID: 3312bc658de40493dbbbdb628fa1ac862c14c743cb2aabe02eeb7d71ec829e14
                                                                                                            • Opcode Fuzzy Hash: f624f178b2757757f6ee0ed82108e7e17b49aa81eb1cfd09d0e3ddd3732ee692
                                                                                                            • Instruction Fuzzy Hash: D5115A752007059BCB20DF19D880B82FBE5EF98390F10C53BE9688B385D3B4E8458BA9
                                                                                                            Function 00452FC4 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(00000000,0045302D), ref: 0045300F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 1452528299-0
                                                                                                            • Opcode ID: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                                            • Instruction ID: b902f5f71593d0acd8113edc39c0d5725662cc955bae9521e0e34912f41e4d76
                                                                                                            • Opcode Fuzzy Hash: 796ee09302341f2f0fe022b6b7ad64e2259239b3e6510a293da86372227c0e6a
                                                                                                            • Instruction Fuzzy Hash: 850170356042486FC701DF699C008EEFBE8EB4D76171082B7FC24C3382D7345E059664
                                                                                                            Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualFree.KERNEL32(?,?,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 1263568516-0
                                                                                                            • Opcode ID: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                            • Instruction ID: fd45504e6079eb3c344fd15592bdf3984e08e9418c18d248e8b2091ea2ac4f2a
                                                                                                            • Opcode Fuzzy Hash: 3cb279d385dc81f8188aef87182d0a586e7f532f71175ddb5b892d42a5daf7f8
                                                                                                            • Instruction Fuzzy Hash: A10120766443148FC3109F29EDC0E2677E8D794378F15453EDA85673A1D37A6C0187D8
                                                                                                            Function 00401340 Relevance: 1.3, APIs: 1, Instructions: 34memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalAlloc.KERNEL32(00000000,00000644,?,0049B450,004013A3,?,?,00401443,?,?,?,?,?,00401983), ref: 00401353
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 3494564517-0
                                                                                                            • Opcode ID: 833cffc3d4ae6fddf196a7017a3fa962a39b4640526386715143ff6d9bbaf8a6
                                                                                                            • Instruction ID: 71c91fbc4c3ed8fd369fb1531a6952d3d9178ec9d6227f0a2e7a8dd8dab45303
                                                                                                            • Opcode Fuzzy Hash: 833cffc3d4ae6fddf196a7017a3fa962a39b4640526386715143ff6d9bbaf8a6
                                                                                                            • Instruction Fuzzy Hash: 0CF05E717013018FE724CF29D980656B7E1EBA9365F24807EE5C5D7761D3358C419B94
                                                                                                            Function 00406F48 Relevance: 1.3, APIs: 1, Instructions: 3COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 2962429428-0
                                                                                                            • Opcode ID: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                                            • Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
                                                                                                            • Opcode Fuzzy Hash: 11f5b55454e2001d57305e4d26194660ee260494afc1ae4151642f59c6b90a28
                                                                                                            • Instruction Fuzzy Hash:

                                                                                                            Non-executed Functions

                                                                                                            Function 0041F118 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetVersion.KERNEL32(?,00418FF0,00000000,?,?,?,00000001), ref: 0041F126
                                                                                                            • SetErrorMode.KERNEL32(00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F142
                                                                                                            • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F14E
                                                                                                            • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F15C
                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F18C
                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1B5
                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1CA
                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1DF
                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F1F4
                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F209
                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F21E
                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F233
                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F248
                                                                                                            • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F25D
                                                                                                            • FreeLibrary.KERNEL32(00000001,?,00418FF0,00000000,?,?,?,00000001), ref: 0041F26F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                                            • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                                            • API String ID: 2323315520-3614243559
                                                                                                            • Opcode ID: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                                            • Instruction ID: e724c2aa341d6685c6ab1c4031cb88844a897dd828fe35f3324890dc483947ec
                                                                                                            • Opcode Fuzzy Hash: 62814c6def9f01bce39a36d2c4270fbdb1234b3c2cb706e68bb71ccad2797809
                                                                                                            • Instruction Fuzzy Hash: 8E314FB2640700ABEB01EBB9AC46A6B3794F328724741093FB508D7192D77C5C55CF5C
                                                                                                            Function 004585C8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetTickCount.KERNEL32 ref: 0045862F
                                                                                                            • QueryPerformanceCounter.KERNEL32(02263858,00000000,004588C2,?,?,02263858,00000000,?,00458FBE,?,02263858,00000000), ref: 00458638
                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(02263858,02263858), ref: 00458642
                                                                                                            • GetCurrentProcessId.KERNEL32(?,02263858,00000000,004588C2,?,?,02263858,00000000,?,00458FBE,?,02263858,00000000), ref: 0045864B
                                                                                                            • CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 004586C1
                                                                                                            • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02263858,02263858), ref: 004586CF
                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458717
                                                                                                            • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0045886D,?,00000000,C0000000,00000000,00499B24,00000003,00000000,00000000,00000000,0045887E), ref: 00458750
                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 004587F9
                                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045882F
                                                                                                            • CloseHandle.KERNEL32(000000FF,00458874,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00458867
                                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                                            • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                                            • API String ID: 770386003-3271284199
                                                                                                            • Opcode ID: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                                            • Instruction ID: 54c9584e853abf465b9d0f30fdd509929e5717807e8393d963d4681616065440
                                                                                                            • Opcode Fuzzy Hash: a79b95222fdd7f93703faf8b41e336e667bfcfce42d59c7d41cb43afe138310a
                                                                                                            • Instruction Fuzzy Hash: 19710470A003449EDB11EB65CC45B9E77F4EB05705F1085BAF904FB282DB7899488F69
                                                                                                            Function 00478504 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00478370: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02262BD8,?,?,?,02262BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                                              • Part of subcall function 00478370: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                                              • Part of subcall function 00478370: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02262BD8,?,?,?,02262BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                                              • Part of subcall function 00478370: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02262BD8,?,?,?,02262BD8), ref: 004783CC
                                                                                                              • Part of subcall function 00478370: CloseHandle.KERNEL32(00000000,?,?,?,02262BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                                              • Part of subcall function 00478448: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,004784DA,?,?,?,02262BD8,?,0047853C,00000000,00478652,?,?,-00000010,?), ref: 00478478
                                                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 0047858C
                                                                                                            • GetLastError.KERNEL32(00000000,00478652,?,?,-00000010,?), ref: 00478595
                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 004785E2
                                                                                                            • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 00478606
                                                                                                            • CloseHandle.KERNEL32(00000000,00478637,00000000,00000000,000000FF,000000FF,00000000,00478630,?,00000000,00478652,?,?,-00000010,?), ref: 0047862A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                                            • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                                            • API String ID: 883996979-221126205
                                                                                                            • Opcode ID: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                                            • Instruction ID: b05a94d88e1d9ee0fbafe330a65326fe691daae9ca7e583bddfe233bc85c86e1
                                                                                                            • Opcode Fuzzy Hash: e395260aa41f9ccfe4acc1b6a7661f4649f54ca3d6eb9a5996b4c5021f667ff4
                                                                                                            • Instruction Fuzzy Hash: 0E314470A40208BEDB11EFE6C859ADEB7B8EB45718F50843FF508E7281DA7C99058B5D
                                                                                                            Function 0042285C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 004229F4
                                                                                                            • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BBE), ref: 00422A04
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSendShowWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1631623395-0
                                                                                                            • Opcode ID: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                                            • Instruction ID: 9e9026b6a08d43f4c34b0c014f83afec13b9727198b5f0eb67f7172f0d04fbcb
                                                                                                            • Opcode Fuzzy Hash: 7d35c436bdc301b114185cd71e9b34d3d25d314c488a7ae3a8b4f853deae8013
                                                                                                            • Instruction Fuzzy Hash: 90915171B04214BFDB11EFA9DA86F9D77F4AB04304F5500BAF504AB392CB78AE419B58
                                                                                                            Function 00418384 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsIconic.USER32(?), ref: 00418393
                                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 004183B0
                                                                                                            • GetWindowRect.USER32(?), ref: 004183CC
                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 004183DA
                                                                                                            • GetWindowLongA.USER32(?,000000F8), ref: 004183EF
                                                                                                            • ScreenToClient.USER32(00000000), ref: 004183F8
                                                                                                            • ScreenToClient.USER32(00000000,?), ref: 00418403
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                                            • String ID: ,
                                                                                                            • API String ID: 2266315723-3772416878
                                                                                                            • Opcode ID: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                                            • Instruction ID: 8875a2d430ef8be2c5346fa25315cde737655516302bc4d2344e38a88124d083
                                                                                                            • Opcode Fuzzy Hash: 093fbc58c9f2bb22a74bd7cb36b3f86111f4d6c014dbe9a16a5ffda61369e0f0
                                                                                                            • Instruction Fuzzy Hash: 2B112B71505201ABEB00DF69C885F9B77E8AF48314F04067EFD58DB296D738D900CB65
                                                                                                            Function 004555E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 004555F3
                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004555F9
                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455612
                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455639
                                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0045563E
                                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 0045564F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                            • API String ID: 107509674-3733053543
                                                                                                            • Opcode ID: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                                            • Instruction ID: 23182b732e3c774e917f784577cc733395bd6f0e504c2650860deaf78f25ff04
                                                                                                            • Opcode Fuzzy Hash: e41b2ce6836bec360355d7b24c2a1717b910cfd1a437749fc580c6f152555136
                                                                                                            • Instruction Fuzzy Hash: CBF0C870294B41B9EA10A6718C17F3B21C89B40709F80083ABD05E90D3D7BDD40C4A2E
                                                                                                            Function 0045D188 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045D191
                                                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045D1A1
                                                                                                            • GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045D1B1
                                                                                                            • ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047F96F,00000000,0047F998), ref: 0045D1D6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$CryptVersion
                                                                                                            • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                                            • API String ID: 1951258720-508647305
                                                                                                            • Opcode ID: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                                            • Instruction ID: d394b6b565b4a55a8c16e24b867b534ad65140704dc94b035c924c7661ebf9a3
                                                                                                            • Opcode Fuzzy Hash: dc81785b55ac876962535e0a2eb36b1dd730d24c9132c457d47d12d4ae2e21c2
                                                                                                            • Instruction Fuzzy Hash: A2F030B0D41700CAD318EFF6AC957263B96EB9830AF14C03BA414C51A2D7794454DF2C
                                                                                                            Function 004980A4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0,?,?,00000000,0049B628), ref: 004980FB
                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 0049817E
                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000), ref: 00498196
                                                                                                            • FindClose.KERNEL32(000000FF,004981C1,004981BA,?,00000000,?,00000000,004981E2,?,?,00000000,0049B628,?,0049836C,00000000,004983C0), ref: 004981B4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileFind$AttributesCloseFirstNext
                                                                                                            • String ID: isRS-$isRS-???.tmp
                                                                                                            • API String ID: 134685335-3422211394
                                                                                                            • Opcode ID: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                                            • Instruction ID: fc6fb5a4e2302b333323d0d019d05182e8323e6fc1a1653111c694b95695a562
                                                                                                            • Opcode Fuzzy Hash: 4cf053d52b7de9e99314ef9443aa0be7ff49bfb1b7c6e14e5d4b85c56af708b1
                                                                                                            • Instruction Fuzzy Hash: E1316A719016186FCF10EF69CC42ADEBBBCDB45314F5044BBA808E3291DA3C9F458E58
                                                                                                            Function 00457594 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457611
                                                                                                            • PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00457638
                                                                                                            • SetForegroundWindow.USER32(?), ref: 00457649
                                                                                                            • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00457921,?,00000000,0045795D), ref: 0045790C
                                                                                                            Strings
                                                                                                            • Cannot evaluate variable because [Code] isn't running yet, xrefs: 0045778C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                                            • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                                            • API String ID: 2236967946-3182603685
                                                                                                            • Opcode ID: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                                            • Instruction ID: 8776962154e21e4b1c8854f5ca4bcfaa90dd950cda3ad59ac2e2fede597431d6
                                                                                                            • Opcode Fuzzy Hash: 74e42c9c2b67fd5adc195c0662b506aaf6a0f02139eddaf5114ff9c1448628c8
                                                                                                            • Instruction Fuzzy Hash: 2B91D334608204DFEB15CF55E991F5ABBF5EB89704F2184BAE80497792C638AE04DB68
                                                                                                            Function 00455E0C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455F4B), ref: 00455E3C
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00455E42
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                            • API String ID: 1646373207-3712701948
                                                                                                            • Opcode ID: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                                            • Instruction ID: d81c9a8c7c52065d28d66f53e81ce4f313aa74f068c2efe820cb9bfc493487ae
                                                                                                            • Opcode Fuzzy Hash: 409835b603e199d4170178d82c1615a1651ba94ec2cafac24c158ef3a131e909
                                                                                                            • Instruction Fuzzy Hash: B0418671A04649AFCF01EFA5C8929EEB7B8EF48305F504567F804F7292D67C5E098B68
                                                                                                            Function 00417CD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsIconic.USER32(?), ref: 00417D0F
                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Placement$Iconic
                                                                                                            • String ID: ,
                                                                                                            • API String ID: 568898626-3772416878
                                                                                                            • Opcode ID: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                                            • Instruction ID: e85585575f8c5a3e7823c55acc6b28d6d187d41511fbfc80546af44b70413e2d
                                                                                                            • Opcode Fuzzy Hash: b31359e3e3f4af84bc1879df8bb30ee95a40fb82c66b770674b351632ff57231
                                                                                                            • Instruction Fuzzy Hash: 4C2112716042089BDF10EF69D8C1AEA77B8AF48314F05456AFD18DF346D678DD84CBA8
                                                                                                            Function 00464158 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,0046433F), ref: 004641CD
                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 00464213
                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642C8
                                                                                                            • FindClose.KERNEL32(000000FF,004642F3,004642EC,?,00000000,?,00000000,0046430A,?,00000001,00000000,0046433F), ref: 004642E6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 4011626565-0
                                                                                                            • Opcode ID: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                                            • Instruction ID: 9d9184480f8630aada0b530c6bd54f2fc26159d28d851f3c8c43bf9f92f270d6
                                                                                                            • Opcode Fuzzy Hash: 1efd1e5842b6513eb7f92915edfbe8fc84401e145746a4d83abe9154eb57289a
                                                                                                            • Instruction Fuzzy Hash: 77418370A00A18DBCF10EFA5DC959DEB7B8EB88305F5044AAF804A7341E7789E448E59
                                                                                                            Function 00463CDC Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00463E99), ref: 00463D0D
                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463D9C
                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E2E
                                                                                                            • FindClose.KERNEL32(000000FF,00463E55,00463E4E,?,00000000,?,00000000,00463E6C,?,00000001,00000000,00463E99), ref: 00463E48
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 4011626565-0
                                                                                                            • Opcode ID: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                                            • Instruction ID: 85e7d80bc36d7b3e80fea797042c039a90a2821ca6a16b1e557570abf42aa49f
                                                                                                            • Opcode Fuzzy Hash: 7f0cfbd2c28eb096c2c7b79ad6d01cc7699265dce8ba217153498c446e9855ae
                                                                                                            • Instruction Fuzzy Hash: 3A41B770A00A589FCB11EF65CC45ADEB7B8EB88705F4044BAF404A7381E67D9F48CE59
                                                                                                            Function 0042E934 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E956
                                                                                                            • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E981
                                                                                                            • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E98E
                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E996
                                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00452F3F,00000000,00452F60), ref: 0042E99C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                                            • String ID:
                                                                                                            • API String ID: 1177325624-0
                                                                                                            • Opcode ID: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                                            • Instruction ID: 661b18b1de4eb1238568a50ab540e77c3175952f9b14320adb6d96c9b056064d
                                                                                                            • Opcode Fuzzy Hash: 00c40fca2cfdd97ba02e44e9efda7f487b55ec81a2bcf6d63bb4130569f45397
                                                                                                            • Instruction Fuzzy Hash: 80F090B23A17207AF620B57A5C86F7F418CCB89B68F10423BBA04FF1D1D9A85D0555AD
                                                                                                            Function 0048393C Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsIconic.USER32(?), ref: 0048397A
                                                                                                            • GetWindowLongA.USER32(00000000,000000F0), ref: 00483998
                                                                                                            • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839BA
                                                                                                            • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049C0A8,00482E56,00482E8A,00000000,00482EAA,?,?,?,0049C0A8), ref: 004839CE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Show$IconicLong
                                                                                                            • String ID:
                                                                                                            • API String ID: 2754861897-0
                                                                                                            • Opcode ID: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                                            • Instruction ID: 3cea9153c2b451a1fdc95e78a984a36fb28f479a74ffefb17a89e5a976076ef3
                                                                                                            • Opcode Fuzzy Hash: 388bc32bc28a7c539796bab44a6ba9bad50612e2c7d9e5998850325d2fd9b569
                                                                                                            • Instruction Fuzzy Hash: 160156B0705200ABEA00BF659CCBB5F22C55714745F44093BF4459B292CAADDA859B5C
                                                                                                            Function 00462750 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00462824), ref: 004627A8
                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00462804,?,00000000,?,00000000,00462824), ref: 004627E4
                                                                                                            • FindClose.KERNEL32(000000FF,0046280B,00462804,?,00000000,?,00000000,00462824), ref: 004627FE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 3541575487-0
                                                                                                            • Opcode ID: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                                            • Instruction ID: e6acefadc91213b77ea930f6be1f86c6134c8588622ee3d3acab995ed1c325b6
                                                                                                            • Opcode Fuzzy Hash: b12316252c39c0105a03a3a2020ea099ca75c42189d8bae58c1ecd15a925fcd0
                                                                                                            • Instruction Fuzzy Hash: 87210831904B08BECB11EB65CC41ACEB7ACDB49304F5084B7E808E32A1F6789E44CE69
                                                                                                            Function 004241DC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsIconic.USER32(?), ref: 004241E4
                                                                                                            • SetActiveWindow.USER32(?,?,?,0046CD53), ref: 004241F1
                                                                                                              • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                              • Part of subcall function 00423B14: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,022625AC,0042420A,?,?,?,0046CD53), ref: 00423B4F
                                                                                                            • SetFocus.USER32(00000000,?,?,?,0046CD53), ref: 0042421E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ActiveFocusIconicShow
                                                                                                            • String ID:
                                                                                                            • API String ID: 649377781-0
                                                                                                            • Opcode ID: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                                            • Instruction ID: c953833529836f01456b8f788e47b4b7c36f7a841d6c6df07f57e62630513da6
                                                                                                            • Opcode Fuzzy Hash: 1be179083055f96161d8b165ddd04f1e3bd56871e014c6a07f585ac04199aa1a
                                                                                                            • Instruction Fuzzy Hash: 8CF030B170012097CB10BFAAA8C5B9676A8AB48344F5500BBBD05DF357CA7CDC018778
                                                                                                            Function 00417CCE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsIconic.USER32(?), ref: 00417D0F
                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D2D
                                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00417D63
                                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D8A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Placement$Iconic
                                                                                                            • String ID:
                                                                                                            • API String ID: 568898626-0
                                                                                                            • Opcode ID: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                                            • Instruction ID: d9358ea7cd183770b33139a8ac7b7a0a70302bd2c01e5fc8313c3e2814ac7f2c
                                                                                                            • Opcode Fuzzy Hash: 19084698f29920acc68274fefc6d1be37826273bcf8ca1bc36e8902df026f6c2
                                                                                                            • Instruction Fuzzy Hash: 33012C71204108ABDB10EE59D8C1EF673A8AF45724F154566FD19DF242D639ED8087A8
                                                                                                            Function 00417598 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CaptureIconic
                                                                                                            • String ID:
                                                                                                            • API String ID: 2277910766-0
                                                                                                            • Opcode ID: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                                            • Instruction ID: 6cb7601519473143bf4e876ebf6758ccc8fc4fa751d6c6e0357a6193460a6b05
                                                                                                            • Opcode Fuzzy Hash: c22591b8c3f2be6e3e416ff0957708157ed46c57fff49ed7de8fa542590db40d
                                                                                                            • Instruction Fuzzy Hash: 0AF0A4723056425BD730AB2EC984AB762F69F84314B14403BE419CBFA1EB3CDCC08798
                                                                                                            Function 00424194 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • IsIconic.USER32(?), ref: 0042419B
                                                                                                              • Part of subcall function 00423A84: EnumWindows.USER32(00423A1C), ref: 00423AA8
                                                                                                              • Part of subcall function 00423A84: GetWindow.USER32(?,00000003), ref: 00423ABD
                                                                                                              • Part of subcall function 00423A84: GetWindowLongA.USER32(?,000000EC), ref: 00423ACC
                                                                                                              • Part of subcall function 00423A84: SetWindowPos.USER32(00000000,\AB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241AB,?,?,00423D73), ref: 00423B02
                                                                                                            • SetActiveWindow.USER32(?,?,?,00423D73,00000000,0042415C), ref: 004241AF
                                                                                                              • Part of subcall function 0042364C: ShowWindow.USER32(00410460,00000009,?,00000000,0041EDA4,0042393A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C0C), ref: 00423667
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                                            • String ID:
                                                                                                            • API String ID: 2671590913-0
                                                                                                            • Opcode ID: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                                            • Instruction ID: ce5d4440ec1c13bcfda566247f28ea27228b22b89c70f7a48f218b5e8bc86154
                                                                                                            • Opcode Fuzzy Hash: b2ff140757208bd7b7cc33ac29151dbeb423d1cdddd3b288bc041a56f1810338
                                                                                                            • Instruction Fuzzy Hash: 55E01AA070011087DB10AFAADCC8B9632A9BB48304F55017ABD49CF35BD63CC8608724
                                                                                                            Function 004125D8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127D5), ref: 004127C3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: NtdllProc_Window
                                                                                                            • String ID:
                                                                                                            • API String ID: 4255912815-0
                                                                                                            • Opcode ID: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                                            • Instruction ID: 2c049f03cfb376e3baa0368465928f91904f6d03483072bf0e6cb5f6a46bccc5
                                                                                                            • Opcode Fuzzy Hash: 120c9c179850e2d77f2b5158c289480559fb4752f9becda92d3f5c4f199058c9
                                                                                                            • Instruction Fuzzy Hash: 4A5102357082048FD710DB6ADA80A9BF3E5EF98314B2082BBD814C77A1D7B8AD91C75D
                                                                                                            Function 00478AC0 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00478C0E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: NtdllProc_Window
                                                                                                            • String ID:
                                                                                                            • API String ID: 4255912815-0
                                                                                                            • Opcode ID: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                                            • Instruction ID: 8fc52e73ba06cc46e730b07d7f7f94568764801a7b8f51cd1014d1f63996c257
                                                                                                            • Opcode Fuzzy Hash: 35b14883da97521222dd4ba63ab43259808bc2fdd283b26f07d3c05bbd11cdae
                                                                                                            • Instruction Fuzzy Hash: EC4148B5A44104DFCB10CF99C6888AAB7F5FB49310B64C99AF848DB701D738EE45DB58
                                                                                                            Function 0045D23C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ArcFourCrypt._ISCRYPT(?,?,?,0046DEA4,?,?,0046DEA4,00000000), ref: 0045D247
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CryptFour
                                                                                                            • String ID:
                                                                                                            • API String ID: 2153018856-0
                                                                                                            • Opcode ID: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                                            • Instruction ID: 5effe0378c810cd07e0217cdc1e7a72ed78fe315a0c34b067f2c35eeb24cdbba
                                                                                                            • Opcode Fuzzy Hash: 60613f318f2e56de1b1058283c26d55875caf569050bffc963c4b4a7e30f6a75
                                                                                                            • Instruction Fuzzy Hash: D0C09BF200420CBF650057D5ECC9C77B75CE6586547408126F7048210195726C104574
                                                                                                            Function 0045D254 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046DB14,?,0046DCF5), ref: 0045D25A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CryptFour
                                                                                                            • String ID:
                                                                                                            • API String ID: 2153018856-0
                                                                                                            • Opcode ID: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                                            • Instruction ID: 17600df93846144bfd8e61cd07b91608ca2a028cf3222f5d1774599e6ed580aa
                                                                                                            • Opcode Fuzzy Hash: d774fb8793e7b9215c4f3788321c424c537fe54849dfeb2a35b58218e4d2cefe
                                                                                                            • Instruction Fuzzy Hash: B7A002F0B80300BAFD2057F15E5EF26252C97D0F01F2084657306E90D085A56400853C
                                                                                                            Function 10001130 Relevance: .1, Instructions: 55COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2923031195.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2923005890.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2923056565.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_10000000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                            • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                                                                                            • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                                                                                            • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                                                                                            Function 10001000 Relevance: .0, Instructions: 2COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2923031195.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2923005890.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2923056565.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_10000000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                            • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                                                                                            • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Function 0044B658 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0044B604: GetVersionExA.KERNEL32(00000094), ref: 0044B621
                                                                                                            • LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                                            • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                                            • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B7C9
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B7DB
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B7ED
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B7FF
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B811
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B823
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B835
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B847
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B859
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B86B
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B87D
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B88F
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B8A1
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B8B3
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B8C5
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B8D7
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B8E9
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B8FB
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B90D
                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B91F
                                                                                                            • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B931
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B943
                                                                                                            • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B955
                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B967
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B979
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B98B
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B99D
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B9AF
                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B9C1
                                                                                                            • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B9D3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$LibraryLoadVersion
                                                                                                            • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                                            • API String ID: 1968650500-2910565190
                                                                                                            • Opcode ID: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                                            • Instruction ID: e93aa9000a3b975727f71862fff1c9a8a52c50bca2d3d110ef64c9f3a3b13d35
                                                                                                            • Opcode Fuzzy Hash: 4248c38413e99d9464b79edb7fe9b1fdc4fa56b35b8262d24df0eec612bb70b6
                                                                                                            • Instruction Fuzzy Hash: D391A8F0A40B11ABEB00EFB5AD96A2A3BA8EB15714310067BB454DF295D778DC108FDD
                                                                                                            Function 0041CA0C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 0041CA40
                                                                                                            • CreateCompatibleDC.GDI32(?), ref: 0041CA4C
                                                                                                            • CreateBitmap.GDI32(0041A944,?,00000001,00000001,00000000), ref: 0041CA70
                                                                                                            • CreateCompatibleBitmap.GDI32(?,0041A944,?), ref: 0041CA80
                                                                                                            • SelectObject.GDI32(0041CE3C,00000000), ref: 0041CA9B
                                                                                                            • FillRect.USER32(0041CE3C,?,?), ref: 0041CAD6
                                                                                                            • SetTextColor.GDI32(0041CE3C,00000000), ref: 0041CAEB
                                                                                                            • SetBkColor.GDI32(0041CE3C,00000000), ref: 0041CB02
                                                                                                            • PatBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00FF0062), ref: 0041CB18
                                                                                                            • CreateCompatibleDC.GDI32(?), ref: 0041CB2B
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041CB5C
                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CB74
                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041CB7D
                                                                                                            • SelectPalette.GDI32(0041CE3C,00000000,00000001), ref: 0041CB8C
                                                                                                            • RealizePalette.GDI32(0041CE3C), ref: 0041CB95
                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041CBAE
                                                                                                            • SetBkColor.GDI32(00000000,00000000), ref: 0041CBC5
                                                                                                            • BitBlt.GDI32(0041CE3C,00000000,00000000,0041A944,?,00000000,00000000,00000000,00CC0020), ref: 0041CBE1
                                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041CBEE
                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041CC04
                                                                                                              • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                                            • String ID:
                                                                                                            • API String ID: 269503290-0
                                                                                                            • Opcode ID: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                                            • Instruction ID: 91afdf38925dfcc0a19aef53af63d8b93a06df8cfedaf367688fa0d34ebdb442
                                                                                                            • Opcode Fuzzy Hash: 8288b1a004c19d08e53adfd80f36b756ff19622159534b91a17c952f52f31838
                                                                                                            • Instruction Fuzzy Hash: 01610071A44648AFDF10EBE9DC86FDFB7B8EB48704F10446AB504E7281D67CA940CB68
                                                                                                            Function 00456638 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310comCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CoCreateInstance.OLE32(00499A74,00000000,00000001,00499774,?,00000000,004569E3), ref: 0045667E
                                                                                                            • CoCreateInstance.OLE32(00499764,00000000,00000001,00499774,?,00000000,004569E3), ref: 004566A4
                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 0045685B
                                                                                                            Strings
                                                                                                            • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 00456904
                                                                                                            • {pf32}\, xrefs: 0045671E
                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 004568CA
                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456840
                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 00456892
                                                                                                            • IPropertyStore::Commit, xrefs: 004568E3
                                                                                                            • %ProgramFiles(x86)%\, xrefs: 0045672E
                                                                                                            • CoCreateInstance, xrefs: 004566AF
                                                                                                            • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 004567BD
                                                                                                            • IPersistFile::Save, xrefs: 00456962
                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 004567F1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateInstance$FreeString
                                                                                                            • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                                            • API String ID: 308859552-2363233914
                                                                                                            • Opcode ID: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                                            • Instruction ID: 2d3acbfbfe5134b3b68b6dcde43dfe431d970b0eaffbfac770a5f5266a6492d0
                                                                                                            • Opcode Fuzzy Hash: 26ac11ebc8d2bbba6934e2b7da4071208c956f88b3f37f3572524cf0602978ca
                                                                                                            • Instruction Fuzzy Hash: 39B13170A00104AFDB50DFA9C845B9E7BF8AF09706F5540AAF804E7362DB78DD48CB69
                                                                                                            Function 004983D0 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShowWindow.USER32(?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000,00498B29,?,00000000), ref: 00498453
                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000,?,00498B1F,00000000), ref: 00498466
                                                                                                            • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000,00000000), ref: 00498476
                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00498497
                                                                                                            • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00498768,?,?,00000000,?,00000000), ref: 004984A7
                                                                                                              • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                                            • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                                            • API String ID: 2000705611-3672972446
                                                                                                            • Opcode ID: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                                            • Instruction ID: 1a66146e65e487955493167600903b91e60bc3637ed1504a34615a6495e02ea1
                                                                                                            • Opcode Fuzzy Hash: d895cb7c5264c7428a24ad32bd1f4b93e6c699b182eb53adebeee5f7002e5ba1
                                                                                                            • Instruction Fuzzy Hash: 5191A434A042049FDF11EBA9DC52BAE7BE5EF4A304F5144BBF500AB692DE7C9C05CA19
                                                                                                            Function 0045A6D8 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(00000000,0045A994,?,?,?,?,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 0045A846
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast
                                                                                                            • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                                            • API String ID: 1452528299-3112430753
                                                                                                            • Opcode ID: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                                            • Instruction ID: 43962401d403c06de7b31dde6fd87328655f81364e16ca473e433d379c6e1912
                                                                                                            • Opcode Fuzzy Hash: 41204ac3778d0b79d3de2409b6c45a5b2ad533d11cb42b90e75a22724f80c331
                                                                                                            • Instruction Fuzzy Hash: EC719070B002545BCB00EB6998417AE77A49F4931AF91896BFC01AB383DB7C9E1DC75E
                                                                                                            Function 0045CBC0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetVersion.KERNEL32 ref: 0045CBDA
                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045CBFA
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045CC07
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045CC14
                                                                                                            • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045CC22
                                                                                                              • Part of subcall function 0045CAC8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045CB67,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045CB41
                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCDB
                                                                                                            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045CE15,?,?,00000000), ref: 0045CCE4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                                            • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                                            • API String ID: 59345061-4263478283
                                                                                                            • Opcode ID: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                                            • Instruction ID: 99773ef8a3d0261052733c4904a47669a242c0659fe16ead1f438c4abb71ff4e
                                                                                                            • Opcode Fuzzy Hash: a232fc9af4861a9c5d561c4cdd8364b97c4fb44f2e207c549b4316288fabcd11
                                                                                                            • Instruction Fuzzy Hash: BD518471900308EFDB10DF99C881BEEBBB8EB48711F14806AF904E7241C678A945CFA9
                                                                                                            Function 0041B3AC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041B3C3
                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041B3CD
                                                                                                            • GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3DF
                                                                                                            • CreateBitmap.GDI32(0000000B,?,00000001,00000001,00000000), ref: 0041B3F6
                                                                                                            • GetDC.USER32(00000000), ref: 0041B402
                                                                                                            • CreateCompatibleBitmap.GDI32(00000000,0000000B,?), ref: 0041B42F
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041B455
                                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                                            • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                                            • String ID:
                                                                                                            • API String ID: 644427674-0
                                                                                                            • Opcode ID: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                                            • Instruction ID: 0f3e5998203d07172116f12fa3fedaa120d09cd030f2870c51d139f455c41937
                                                                                                            • Opcode Fuzzy Hash: 9212dc48eb065078ffd6e64a0fe4b3e7e755c3ed7e1f96497366cc94fc87ddf9
                                                                                                            • Instruction Fuzzy Hash: E941AD71E44619AFDB10DAE9C846FEFB7BCEB08704F104466B614F7281D6786D408BA8
                                                                                                            Function 00472B48 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 337COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00472D00
                                                                                                            • SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00472E07
                                                                                                            • SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00472E1D
                                                                                                            • SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00472E42
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                                            • String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
                                                                                                            • API String ID: 971782779-3668018701
                                                                                                            • Opcode ID: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                                            • Instruction ID: 7edda302242157afef40b0e7c7e05039b068dedd9e36cd510e855ba872eb221a
                                                                                                            • Opcode Fuzzy Hash: 2d89b570042f54901974877e938fd47b21837ccabee8972bdab534961fdf4a04
                                                                                                            • Instruction Fuzzy Hash: D0D14574A001489FDB11EFA9D981BDDBBF4AF08304F50816AF904B7392C778AE45CB69
                                                                                                            Function 00454874 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,?,00000000,?,00000000,00454B0D,?,0045AB6A,00000003,00000000,00000000,00454B44), ref: 0045498D
                                                                                                              • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A11
                                                                                                            • RegQueryValueExA.ADVAPI32(0045AB6A,00000000,00000000,00000000,?,00000004,00000000,00454A57,?,0045AB6A,00000000,00000000,?,00000000,?,00000000), ref: 00454A40
                                                                                                            Strings
                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548AB
                                                                                                            • RegOpenKeyEx, xrefs: 00454910
                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 004548E4
                                                                                                            • , xrefs: 004548FE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue$FormatMessageOpen
                                                                                                            • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                            • API String ID: 2812809588-1577016196
                                                                                                            • Opcode ID: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                                            • Instruction ID: 3b35aed17da8244e85d272d2923899a44a2159637523a8fd9e70e85f8d21f96a
                                                                                                            • Opcode Fuzzy Hash: 742d62a6869efcab47093dbd07b67c32618791e42156db71d55ecd28429abb8c
                                                                                                            • Instruction Fuzzy Hash: 23914871E44148ABDB10DF95C842BDEB7FCEB49309F50406BF900FB282D6789E458B69
                                                                                                            Function 00459458 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00459364: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004594FF
                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 00459569
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459659,?,00000000,00000000,00000000), ref: 004595D0
                                                                                                            Strings
                                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0045951C
                                                                                                            • .NET Framework not found, xrefs: 0045961D
                                                                                                            • v1.1.4322, xrefs: 004595C2
                                                                                                            • v2.0.50727, xrefs: 0045955B
                                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459583
                                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 004594B2
                                                                                                            • v4.0.30319, xrefs: 004594F1
                                                                                                            • .NET Framework version %s not found, xrefs: 00459609
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Close$Open
                                                                                                            • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                                            • API String ID: 2976201327-446240816
                                                                                                            • Opcode ID: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                                            • Instruction ID: e7879d346446e6db82ad1067b50e8ffdd52b59a139ce3e0e88c8f748029a0227
                                                                                                            • Opcode Fuzzy Hash: 06cdcde3b802fa8939e5b925d5f0cc04c3aa7329a2dd441772a6abba54712f42
                                                                                                            • Instruction Fuzzy Hash: EB51A331A04148EBCB01DFA8C8A1BEE77A5DB59305F54447BA801DB353EA3D9E1ECB19
                                                                                                            Function 00458A44 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(?), ref: 00458A7B
                                                                                                            • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00458A97
                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00458AA5
                                                                                                            • GetExitCodeProcess.KERNEL32(?), ref: 00458AB6
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458AFD
                                                                                                            • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458B19
                                                                                                            Strings
                                                                                                            • Stopping 64-bit helper process. (PID: %u), xrefs: 00458A6D
                                                                                                            • Helper process exited with failure code: 0x%x, xrefs: 00458AE3
                                                                                                            • Helper isn't responding; killing it., xrefs: 00458A87
                                                                                                            • Helper process exited., xrefs: 00458AC5
                                                                                                            • Helper process exited, but failed to get exit code., xrefs: 00458AEF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                                            • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                                            • API String ID: 3355656108-1243109208
                                                                                                            • Opcode ID: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                                            • Instruction ID: 3f2324d87e707cedf1d5c4e10b6e93e7b0b52df74c864805f1ac214018e434b5
                                                                                                            • Opcode Fuzzy Hash: 5acb86a21610ff93fc26a18ca7688f4a609edf5baed34ffefeefbdc5f868b4c1
                                                                                                            • Instruction Fuzzy Hash: 2F2130706087409AD720E779C44575BB6D49F08345F04CC2FF99AEB283DF78E8488B2A
                                                                                                            Function 00454528 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DDE4: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DE10
                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045464F
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,004546FF,?,00000000,004547C3), ref: 0045478B
                                                                                                              • Part of subcall function 0042E8C8: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00453273,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E8E7
                                                                                                            Strings
                                                                                                            • , xrefs: 004545B1
                                                                                                            • RegCreateKeyEx, xrefs: 004545C3
                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454567
                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454597
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateFormatMessageQueryValue
                                                                                                            • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                            • API String ID: 2481121983-1280779767
                                                                                                            • Opcode ID: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                                            • Instruction ID: 93c55a0ab54dbcba353dd8d7ef9dbdddde8d62e860aeeeeaccb8ee2ace91ec52
                                                                                                            • Opcode Fuzzy Hash: 1658ad98f5d652d8ab18f870bc50976d397f5a9f15be4283fc870004d2c294f4
                                                                                                            • Instruction Fuzzy Hash: 49810F75A00209AFDB00DFD5C981BDEB7B8EB49309F10452AF900FB282D7789E45CB69
                                                                                                            Function 00496C50 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 004538BC: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                                              • Part of subcall function 004538BC: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                                            • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00496CCD
                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00496E21), ref: 00496CEE
                                                                                                            • CreateWindowExA.USER32(00000000,STATIC,00496E30,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00496D15
                                                                                                            • SetWindowLongA.USER32(?,000000FC,004964A8), ref: 00496D28
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC,00496E30), ref: 00496D58
                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00496DCC
                                                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000), ref: 00496DD8
                                                                                                              • Part of subcall function 00453D30: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                                            • DestroyWindow.USER32(?,00496DFB,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00496DF4,?,?,000000FC,004964A8,00000000,STATIC), ref: 00496DEE
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                                            • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                                            • API String ID: 1549857992-2312673372
                                                                                                            • Opcode ID: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                                            • Instruction ID: 18f462a79ff6f3765b6ab1b49dcd34ad23a8ddcce266b6658739bc0f5698dca4
                                                                                                            • Opcode Fuzzy Hash: e4b2ecfcfa893ff17553470f1835d2c21342bacfaf5c8ca03e615e843d4af16f
                                                                                                            • Instruction Fuzzy Hash: 61414C70A40208AFDF00EBA5DD42F9E7BB8EB08714F52457AF510F7291D7799E008B68
                                                                                                            Function 0042E418 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E441
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E447
                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E51D,?,00000000,0047E6DC,00000000), ref: 0042E495
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$QaE$kernel32.dll
                                                                                                            • API String ID: 4190037839-2312295185
                                                                                                            • Opcode ID: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                                            • Instruction ID: f42d7e7755912f49377b3a3c2778cbb45b18f2cdc7334bb7b0fb93ca3fe573dd
                                                                                                            • Opcode Fuzzy Hash: 6084c433af3ee4d64f0cd9982e7ad42a34d4dd09e5920a5815d9b88696e74604
                                                                                                            • Instruction Fuzzy Hash: E8213230B10225BBDB10EAE6DC51B9E76B8EB44308F90447BA504E7281E77CDE419B5C
                                                                                                            Function 004629F0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetActiveWindow.USER32 ref: 004629FC
                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 00462A10
                                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462A1D
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462A2A
                                                                                                            • GetWindowRect.USER32(?,00000000), ref: 00462A76
                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 00462AB4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                            • API String ID: 2610873146-3407710046
                                                                                                            • Opcode ID: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                                            • Instruction ID: 865a179037155f8fdabe2954c964c2dd38b7d55406d5d1e7c7801a7b23b437f8
                                                                                                            • Opcode Fuzzy Hash: 49e394185691d1c2da29acdf0cb3719649ef4a9244e3d7219ece30713ed86938
                                                                                                            • Instruction Fuzzy Hash: B7219575701B057BD610D6A88D85F3B36D8EB84715F094A2AF944DB3C1E6F8EC018B9A
                                                                                                            Function 0042F188 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetActiveWindow.USER32 ref: 0042F194
                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F1A8
                                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F1B5
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F1C2
                                                                                                            • GetWindowRect.USER32(?,00000000), ref: 0042F20E
                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F24C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                            • API String ID: 2610873146-3407710046
                                                                                                            • Opcode ID: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                                            • Instruction ID: 50a2e38ba83faf67dd7c56e8d7733487d454ef14a416094e89dadcccf0bf0910
                                                                                                            • Opcode Fuzzy Hash: d786bd72f778b9cca068a569f688e0802e61ee9ccadb1309323c976dabd5d685
                                                                                                            • Instruction Fuzzy Hash: 3821F279704710ABD300EA68ED41F3B37A9DB89714F88457AF944DB382DA79EC044BA9
                                                                                                            Function 00458C1C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00458DFB,?,00000000,00458E5E,?,?,02263858,00000000), ref: 00458C79
                                                                                                            • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02263858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CD6
                                                                                                            • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02263858,?,00000000,00458D90,?,00000000,00000001,00000000,00000000,00000000,00458DFB), ref: 00458CE3
                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 00458D2F
                                                                                                            • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02263858,?,00000000,00458D90,?,00000000), ref: 00458D55
                                                                                                            • GetLastError.KERNEL32(?,?,00000000,00000001,00458D69,?,-00000020,0000000C,-00004034,00000014,02263858,?,00000000,00458D90,?,00000000), ref: 00458D5C
                                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                                            • String ID: CreateEvent$TransactNamedPipe
                                                                                                            • API String ID: 2182916169-3012584893
                                                                                                            • Opcode ID: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                                            • Instruction ID: 06b5d05a5e38ae799b2edb69ba26f0faef77b18cb4ad173b91f5c3c95d125767
                                                                                                            • Opcode Fuzzy Hash: 7b509680db312d6d9eeee96a6ca75077f36d693cf911451bc7dd7bcd49c3517f
                                                                                                            • Instruction Fuzzy Hash: EF418E75A00608AFDB15DF95C981F9EB7F8EB48714F1044AAF900F72D2DA789E44CA28
                                                                                                            Function 00456D20 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00456E85,?,?,00000031,?), ref: 00456D48
                                                                                                            • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00456D4E
                                                                                                            • LoadTypeLib.OLEAUT32(00000000,?), ref: 00456D9B
                                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                                            • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                                            • API String ID: 1914119943-2711329623
                                                                                                            • Opcode ID: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                                            • Instruction ID: d1bb8c6bfccdc0522a96f5e3020b18907c52df716e7671809b7eaf465cfb4023
                                                                                                            • Opcode Fuzzy Hash: e2963ea3afedc97cdb575031c9274042e2bd1e61e6c3a56a36b999a051922bf2
                                                                                                            • Instruction Fuzzy Hash: 6831A375A00604AFDB41EFAACC12D5BB7BDEB8970675244A6FD04D3352DB38DD08CA28
                                                                                                            Function 00416D80 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RectVisible.GDI32(?,?), ref: 00416E13
                                                                                                            • SaveDC.GDI32(?), ref: 00416E27
                                                                                                            • IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E4A
                                                                                                            • RestoreDC.GDI32(?,?), ref: 00416E65
                                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416EE5
                                                                                                            • FrameRect.USER32(?,?,?), ref: 00416F18
                                                                                                            • DeleteObject.GDI32(?), ref: 00416F22
                                                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00416F32
                                                                                                            • FrameRect.USER32(?,?,?), ref: 00416F65
                                                                                                            • DeleteObject.GDI32(?), ref: 00416F6F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                                            • String ID:
                                                                                                            • API String ID: 375863564-0
                                                                                                            • Opcode ID: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                                            • Instruction ID: c082a38e55a2621cff38c0036c5e412d4739722926df34ebe37a7eff5f7859fc
                                                                                                            • Opcode Fuzzy Hash: c69605c35faac69eeef83e1ef2bcb629ef32bf90482d96ab6e01708da643fe70
                                                                                                            • Instruction Fuzzy Hash: 70515A712086459FDB50EF69C8C4B9B77E8AF48314F15466AFD488B286C738EC81CB99
                                                                                                            Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                            • String ID:
                                                                                                            • API String ID: 1694776339-0
                                                                                                            • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                            • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                                            • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                            • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                                            Function 004221E8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemMenu.USER32(00000000,00000000), ref: 00422233
                                                                                                            • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422251
                                                                                                            • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042225E
                                                                                                            • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226B
                                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422278
                                                                                                            • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422285
                                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 00422292
                                                                                                            • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0042229F
                                                                                                            • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222BD
                                                                                                            • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222D9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$Delete$EnableItem$System
                                                                                                            • String ID:
                                                                                                            • API String ID: 3985193851-0
                                                                                                            • Opcode ID: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                                            • Instruction ID: 662ae76830c3dbb110fd6952920e185112f137d20e740dc0dcce1beff7d7cd05
                                                                                                            • Opcode Fuzzy Hash: 794ac4a4d1563d503d4e128f610caca5ba976f2c29ed192f4e654ec8c2abe850
                                                                                                            • Instruction Fuzzy Hash: AF2144703407047AE720E724CD8BF9BBBD89B04708F5451A5BA487F6D3C6F9AB804698
                                                                                                            Function 00481854 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FreeLibrary.KERNEL32(10000000), ref: 00481A11
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00481A25
                                                                                                            • SendNotifyMessageA.USER32(0001041E,00000496,00002710,00000000), ref: 00481A97
                                                                                                            Strings
                                                                                                            • Deinitializing Setup., xrefs: 00481872
                                                                                                            • GetCustomSetupExitCode, xrefs: 004818B1
                                                                                                            • DeinitializeSetup, xrefs: 0048190D
                                                                                                            • Not restarting Windows because Setup is being run from the debugger., xrefs: 00481A46
                                                                                                            • Restarting Windows., xrefs: 00481A72
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FreeLibrary$MessageNotifySend
                                                                                                            • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                                            • API String ID: 3817813901-1884538726
                                                                                                            • Opcode ID: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                                            • Instruction ID: b122ee3e0244d1cffd13458a0655c780be2d4a3cdc4850abd58d30bc7702deed
                                                                                                            • Opcode Fuzzy Hash: b2d1279a618dd00e76101f6ddb87be929459601488252b11527f6c6d16611b1a
                                                                                                            • Instruction Fuzzy Hash: C651BF347042409FD715EB69E9A5B6E7BE8EB19314F10887BE800C72B2DB389C46CB5D
                                                                                                            Function 0046168C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SHGetMalloc.SHELL32(?), ref: 004616C7
                                                                                                            • GetActiveWindow.USER32 ref: 0046172B
                                                                                                            • CoInitialize.OLE32(00000000), ref: 0046173F
                                                                                                            • SHBrowseForFolder.SHELL32(?), ref: 00461756
                                                                                                            • CoUninitialize.OLE32(00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046176B
                                                                                                            • SetActiveWindow.USER32(?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 00461781
                                                                                                            • SetActiveWindow.USER32(?,?,00461797,00000000,?,?,?,?,?,00000000,0046181B), ref: 0046178A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                                            • String ID: A
                                                                                                            • API String ID: 2684663990-3554254475
                                                                                                            • Opcode ID: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                                            • Instruction ID: 0f37cca2ee7d5c89cd5c8fe3b5c5f67eac08b275376d6c087401a1ac056189be
                                                                                                            • Opcode Fuzzy Hash: cb3d39f68a826354347aa7a8a61ff080deb010c50648a66159b3978de9eda5bc
                                                                                                            • Instruction Fuzzy Hash: C3312F70E00348AFDB10EFA6D885A9EBBF8EB09304F55847AF404E7251E7785A048F59
                                                                                                            Function 004729F8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15,?,?,00000000,00472F84), ref: 00472A1C
                                                                                                              • Part of subcall function 0042CD94: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CE0A
                                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000,?,00472D15), ref: 00472A93
                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00472AB9,?,?,?,00000008,00000000,00000000,00000000), ref: 00472A99
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                                            • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                                            • API String ID: 884541143-1710247218
                                                                                                            • Opcode ID: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                                            • Instruction ID: 1765d5ebfc4e6887f49e3816ac39c9d5a3c16910e93b0aec031ce55b1572895b
                                                                                                            • Opcode Fuzzy Hash: c45dacd24f7b5bc8c90ad3d0814151273abff7c22a7deb77a2667df06dffab17
                                                                                                            • Instruction Fuzzy Hash: 6711B2707005147BD721EAAA8D82B9F73ACDB49714F61C17BB404B72C2DBBCAE01861C
                                                                                                            Function 0045D2B4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045D2BD
                                                                                                            • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045D2CD
                                                                                                            • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045D2DD
                                                                                                            • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045D2ED
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc
                                                                                                            • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                                            • API String ID: 190572456-3516654456
                                                                                                            • Opcode ID: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                                            • Instruction ID: d913f85fec6517a53d2ec7ba369195fd603025f4bffd93910817278a70f0814a
                                                                                                            • Opcode Fuzzy Hash: 5039b32c95ab4f878aa340bc95ef1656196d0563f790867e571847c0b893819f
                                                                                                            • Instruction Fuzzy Hash: C20112B0D00701DBE724DFF6ACC672636A5ABA8306F14C03B9D09962A2D77D0459DF2E
                                                                                                            Function 0041A8DC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041A9B9
                                                                                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041A9F3
                                                                                                            • SetBkColor.GDI32(?,?), ref: 0041AA08
                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA52
                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AA5D
                                                                                                            • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA6D
                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AAAC
                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AAB6
                                                                                                            • SetBkColor.GDI32(00000000,?), ref: 0041AAC3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$StretchText
                                                                                                            • String ID:
                                                                                                            • API String ID: 2984075790-0
                                                                                                            • Opcode ID: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                                            • Instruction ID: 4467ea82dd13d464879b0bd0dd0607b47ee3045dce17e21d2c6451b7f26a8ea4
                                                                                                            • Opcode Fuzzy Hash: c2c61a06e11fc6ac6c72d0136d8e20986a2ab5507b690e8d84a304c9a27ba9fd
                                                                                                            • Instruction Fuzzy Hash: 8761E5B5A00505AFCB40EFADD985E9AB7F8EF08314B10816AF908DB262C775ED40CF58
                                                                                                            Function 004580C4 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458278,?, /s ",?,regsvr32.exe",?,00458278), ref: 004581EA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseDirectoryHandleSystem
                                                                                                            • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                                            • API String ID: 2051275411-1862435767
                                                                                                            • Opcode ID: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                                            • Instruction ID: cda81b302c56d3c3b7af3d8ffa4af26d40175ae7a7c1cff7e24eee752c39b11a
                                                                                                            • Opcode Fuzzy Hash: 4002d2de1ab03b38d977d670fcb0d45de6735b09ab9cf6adf03ef289ce7e4165
                                                                                                            • Instruction Fuzzy Hash: 21411670A047486BDB10EFD6D842B8DBBF9AF45305F50407FB904BB292DF789A098B19
                                                                                                            Function 0044D178 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OffsetRect.USER32(?,00000001,00000001), ref: 0044D1A9
                                                                                                            • GetSysColor.USER32(00000014), ref: 0044D1B0
                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044D1C8
                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D1F1
                                                                                                            • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D1FB
                                                                                                            • GetSysColor.USER32(00000010), ref: 0044D202
                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044D21A
                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D243
                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D26E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Text$Color$Draw$OffsetRect
                                                                                                            • String ID:
                                                                                                            • API String ID: 1005981011-0
                                                                                                            • Opcode ID: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                                            • Instruction ID: 8406a00effd73db105afccad7da3796984cf264811f0ddac3e5cace4e0ac1d2b
                                                                                                            • Opcode Fuzzy Hash: 32856f07fc45aa5b94f1f38070a47e962b22e9d58654105098b1be26c78061dc
                                                                                                            • Instruction Fuzzy Hash: A021BDB42015047FC710FB2ACD8AE8B6BDCDF19319B05457AB958EB292C67CDD404668
                                                                                                            Function 0041B66C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 144windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFocus.USER32 ref: 0041B745
                                                                                                            • GetDC.USER32(?), ref: 0041B751
                                                                                                            • SelectPalette.GDI32(00000000,?,00000000), ref: 0041B786
                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041B792
                                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041B7C0
                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041B7F4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                            • String ID: %H
                                                                                                            • API String ID: 3275473261-1959103961
                                                                                                            • Opcode ID: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                                            • Instruction ID: 38bdddf8d72f5571b31e8017bfcff87152bbfcb95d4f6cd7f9962c0a723fddb9
                                                                                                            • Opcode Fuzzy Hash: 9b17a45ebd00e155e5aeae17ac6cac102e8e00fd56b9a0d3692e3d2bf0971335
                                                                                                            • Instruction Fuzzy Hash: 8A512F70A002099FDF11DFA9C881AEEBBF9FF49704F104066F504A7791D7799981CBA9
                                                                                                            Function 0041B93C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFocus.USER32 ref: 0041BA17
                                                                                                            • GetDC.USER32(?), ref: 0041BA23
                                                                                                            • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BA5D
                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041BA69
                                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BA8D
                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BAC1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                            • String ID: %H
                                                                                                            • API String ID: 3275473261-1959103961
                                                                                                            • Opcode ID: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                                            • Instruction ID: 3fcaffe560058c7771eaec6053d79e0e1924f360d52694d27862de55114c0f48
                                                                                                            • Opcode Fuzzy Hash: f1b656a7ede54f8d65f93cc35dc493626dae048aef23b352968a277fb398f08e
                                                                                                            • Instruction Fuzzy Hash: 9D512A74A002189FDB11DFA9C891AAEBBF9FF49700F154066F904EB751D738AD40CBA4
                                                                                                            Function 004964F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0045092C: SetEndOfFile.KERNEL32(?,?,0045C342,00000000,0045C4CD,?,00000000,00000002,00000002), ref: 00450933
                                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00496585
                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00496599
                                                                                                            • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 004965B3
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965BF
                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965C5
                                                                                                            • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 004965D8
                                                                                                            Strings
                                                                                                            • Deleting Uninstall data files., xrefs: 004964FB
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                                            • String ID: Deleting Uninstall data files.
                                                                                                            • API String ID: 1570157960-2568741658
                                                                                                            • Opcode ID: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                                            • Instruction ID: caddedc05ae4add9971b90b84c259ce0cd5246952d50e779d54ebc968ffbf915
                                                                                                            • Opcode Fuzzy Hash: 8e8cb50e53c2c3b2038bacabf8c777ac21aad5dfe2dc8a8db11d37eec289bdf4
                                                                                                            • Instruction Fuzzy Hash: 73216170204250BFEB10EB6ABC82B2637A8DB54728F53453BB501961D6DA7CAC448A6D
                                                                                                            Function 004701FC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9,?,?,?,?,00000000), ref: 00470263
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,004702F9), ref: 0047027A
                                                                                                            • AddFontResourceA.GDI32(00000000), ref: 00470297
                                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 004702AB
                                                                                                            Strings
                                                                                                            • AddFontResource, xrefs: 004702B5
                                                                                                            • Failed to set value in Fonts registry key., xrefs: 0047026C
                                                                                                            • Failed to open Fonts registry key., xrefs: 00470281
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                                            • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                                            • API String ID: 955540645-649663873
                                                                                                            • Opcode ID: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                                            • Instruction ID: 122e39bb1ea2b43e4c2a7da55aa69ddad999e5e54c07bca5f4119535fc7344d3
                                                                                                            • Opcode Fuzzy Hash: f6cb4db48621d05014dac95341ab5faf08594db0be4636be460d29a68d9f0f75
                                                                                                            • Instruction Fuzzy Hash: 6921E271741204BBDB10EAA68C46FAE67AC9B14704F208477B904EB3C3DA7C9E01866D
                                                                                                            Function 00462E30 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00416410: GetClassInfoA.USER32(00400000,?,?), ref: 0041647F
                                                                                                              • Part of subcall function 00416410: UnregisterClassA.USER32(?,00400000), ref: 004164AB
                                                                                                              • Part of subcall function 00416410: RegisterClassA.USER32(?), ref: 004164CE
                                                                                                            • GetVersion.KERNEL32 ref: 00462E60
                                                                                                            • SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 00462E9E
                                                                                                            • SHGetFileInfo.SHELL32(00462F3C,00000000,?,00000160,00004011), ref: 00462EBB
                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00462ED9
                                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462EDF
                                                                                                            • SetCursor.USER32(?,00462F1F,00007F02,00462F3C,00000000,?,00000160,00004011), ref: 00462F12
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                                            • String ID: Explorer
                                                                                                            • API String ID: 2594429197-512347832
                                                                                                            • Opcode ID: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                                            • Instruction ID: b0f6820fd5a5ea072646c086af9eca81c98a3cd1ffd9b7ca0f87214cf94a4ba1
                                                                                                            • Opcode Fuzzy Hash: 271d5cc6534746d744017855cbe3809792a4a5bc456b5a0a77df68c724b1ffee
                                                                                                            • Instruction Fuzzy Hash: CD21E7307403047AEB15BB759D47B9A3798DB09708F4004BFFA05EA1C3EEBD9901966D
                                                                                                            Function 00478370 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02262BD8,?,?,?,02262BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 00478389
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0047838F
                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02262BD8,?,?,?,02262BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783A2
                                                                                                            • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02262BD8,?,?,?,02262BD8), ref: 004783CC
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,02262BD8,00478534,00000000,00478652,?,?,-00000010,?), ref: 004783EA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                                            • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                                            • API String ID: 2704155762-2318956294
                                                                                                            • Opcode ID: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                                            • Instruction ID: 2a72e966618face2f1bd82d2a524167157479a72732682c44667b4342ad9b4bf
                                                                                                            • Opcode Fuzzy Hash: 606546fc07dcf4a3bd117f62e36919ba8c62e6b487fb6962041f4ee6dba1ecda
                                                                                                            • Instruction Fuzzy Hash: 370180A07C070536E520316A4C8AFBB654C8B50769F14863FBA1DFA2D3FDED9D06016E
                                                                                                            Function 00459E0C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(00000000,00459F8E,?,00000000,00000000,00000000,?,00000006,?,00000000,0049785D,?,00000000,00497900), ref: 00459ED2
                                                                                                              • Part of subcall function 004543F4: FindClose.KERNEL32(000000FF,004544EA), ref: 004544D9
                                                                                                            Strings
                                                                                                            • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459F47
                                                                                                            • Failed to delete directory (%d)., xrefs: 00459F68
                                                                                                            • Deleting directory: %s, xrefs: 00459E5B
                                                                                                            • Failed to strip read-only attribute., xrefs: 00459EA0
                                                                                                            • Failed to delete directory (%d). Will retry later., xrefs: 00459EEB
                                                                                                            • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00459EAC
                                                                                                            • Stripped read-only attribute., xrefs: 00459E94
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseErrorFindLast
                                                                                                            • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                                            • API String ID: 754982922-1448842058
                                                                                                            • Opcode ID: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                                            • Instruction ID: b8d9b7298ea7c3337bda5d500217c07e27fbd6b384233f4239b27a523d6d10d0
                                                                                                            • Opcode Fuzzy Hash: 9c44e2e7f6fe757755561f6ca8568e0fef47b87f075e017b2858cb20ebfba709
                                                                                                            • Instruction Fuzzy Hash: 1841A331A04208CACB10EB69C8413AEB6A55F4530AF54897BAC01D73D3CB7C8E0DC75E
                                                                                                            Function 00422E50 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCapture.USER32 ref: 00422EA4
                                                                                                            • GetCapture.USER32 ref: 00422EB3
                                                                                                            • SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EB9
                                                                                                            • ReleaseCapture.USER32 ref: 00422EBE
                                                                                                            • GetActiveWindow.USER32 ref: 00422ECD
                                                                                                            • SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F4C
                                                                                                            • SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FB0
                                                                                                            • GetActiveWindow.USER32 ref: 00422FBF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                                            • String ID:
                                                                                                            • API String ID: 862346643-0
                                                                                                            • Opcode ID: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                                            • Instruction ID: c6261992695b47722d84ffa44129b55dc5b2a4dad2f70b0012283783c1c7b094
                                                                                                            • Opcode Fuzzy Hash: b1a57ae8c862de22bc82aa702dd5f84040ee9f6a0804fcde46ad074f7f3e30fe
                                                                                                            • Instruction Fuzzy Hash: 24417230B00245AFDB10EB69DA86B9E77F1EF44304F5540BAF404AB2A2D778AE40DB49
                                                                                                            Function 0042F290 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0042F2BA
                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0042F2D1
                                                                                                            • GetActiveWindow.USER32 ref: 0042F2DA
                                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F307
                                                                                                            • SetActiveWindow.USER32(?,0042F437,00000000,?), ref: 0042F328
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ActiveLong$Message
                                                                                                            • String ID:
                                                                                                            • API String ID: 2785966331-0
                                                                                                            • Opcode ID: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                                            • Instruction ID: ac844ef734d24c76dc9aa96f201b13a865b129e9c1b137beabd8cb6517960092
                                                                                                            • Opcode Fuzzy Hash: 267c9eefe26e23fd4e765c6349420bb8bb9da3d18075eb1d96a464b655a4fe2f
                                                                                                            • Instruction Fuzzy Hash: F931D271A00254AFEB01EFA5DD52E6EBBB8EB09304F9144BAF804E3291D73C9D10CB58
                                                                                                            Function 00429480 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 0042948A
                                                                                                            • GetTextMetricsA.GDI32(00000000), ref: 00429493
                                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004294A2
                                                                                                            • GetTextMetricsA.GDI32(00000000,?), ref: 004294AF
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004294B6
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 004294BE
                                                                                                            • GetSystemMetrics.USER32(00000006), ref: 004294E3
                                                                                                            • GetSystemMetrics.USER32(00000006), ref: 004294FD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 1583807278-0
                                                                                                            • Opcode ID: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                                            • Instruction ID: 8a5b62ad3b2811282b00f4aa11bc4c2c065e9b9ae855548013837f5c18493421
                                                                                                            • Opcode Fuzzy Hash: 960ca5b6b9ec06081429caf0e2ae16fd4423d047ce8cb1d090ce01a2b2c84894
                                                                                                            • Instruction Fuzzy Hash: 0F01C4A17087103BE321767A9CC6F6F65C8DB44358F84043BF686D63D3D96C9C41866A
                                                                                                            Function 0041DE24 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 0041DE27
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041DE31
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041DE3E
                                                                                                            • MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE4D
                                                                                                            • GetStockObject.GDI32(00000007), ref: 0041DE5B
                                                                                                            • GetStockObject.GDI32(00000005), ref: 0041DE67
                                                                                                            • GetStockObject.GDI32(0000000D), ref: 0041DE73
                                                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 0041DE84
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 225703358-0
                                                                                                            • Opcode ID: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                                                            • Instruction ID: 282f56568f1177e4dad385ec7f61a974d29090d827cf1f87eb40c920fa9ca7e8
                                                                                                            • Opcode Fuzzy Hash: cf3de45f10179e040e4bf754cd3e00afbbff0486b0448c288d4be5e1939ebdb6
                                                                                                            • Instruction Fuzzy Hash: 4C1142706457015EE340BFA66E52B6A36A4D725708F40413FF609AF3D1D77A2C448B9E
                                                                                                            Function 00463240 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00463344
                                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,004633D9), ref: 0046334A
                                                                                                            • SetCursor.USER32(?,004633C1,00007F02,00000000,004633D9), ref: 004633B4
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Cursor$Load
                                                                                                            • String ID: $ $Internal error: Item already expanding
                                                                                                            • API String ID: 1675784387-1948079669
                                                                                                            • Opcode ID: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                                            • Instruction ID: e4e85f4aa3fa623d7d3a169fbc538aa22306e9421cedfdc69a3031d12d347dae
                                                                                                            • Opcode Fuzzy Hash: 040729a671edf880b94918ceea5f8eaec20fdfbf8da854279a56862745118dff
                                                                                                            • Instruction Fuzzy Hash: 4CB18270604284EFDB11DF29C545B9ABBF1BF04305F1484AAE8469B792DB78EE44CB4A
                                                                                                            Function 00453D30 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453E17
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: PrivateProfileStringWrite
                                                                                                            • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                                            • API String ID: 390214022-3304407042
                                                                                                            • Opcode ID: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                                            • Instruction ID: 4c4b1d7f09994941c57eaafc4db68242d6a3f6c21ecd3f2b5b8f846a746055a2
                                                                                                            • Opcode Fuzzy Hash: 262666494607197906d7283235c4c76affd32b2b0fdb9ef9cba9b9ea75353bac
                                                                                                            • Instruction Fuzzy Hash: 40911434E002099BDB01EFA5D842BDEB7F5AF4874AF608466E90077392D7786E49CB58
                                                                                                            Function 00476C50 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00476CA9
                                                                                                            • SetWindowLongW.USER32(00000000,000000FC,00476C04), ref: 00476CD0
                                                                                                            • GetACP.KERNEL32(00000000,00476EE8,?,00000000,00476F12), ref: 00476D0D
                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00476D53
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ClassInfoLongMessageSendWindow
                                                                                                            • String ID: COMBOBOX$Inno Setup: Language
                                                                                                            • API String ID: 3391662889-4234151509
                                                                                                            • Opcode ID: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                                            • Instruction ID: b13fa11fcbd9abdf7db93726dac51e4442bd67f198c8610d2c1064f44be53319
                                                                                                            • Opcode Fuzzy Hash: 1db359e320ab2741222256d54ad499686456584f5ec697b8868a090b3fdd66eb
                                                                                                            • Instruction Fuzzy Hash: 46812C346006059FDB10DF69D985AEAB7F2FB09304F15C1BAE808EB762D778AD41CB58
                                                                                                            Function 00408720 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00408968,?,?,?,?,00000000,00000000,00000000,?,0040996F,00000000,00409982), ref: 0040873A
                                                                                                              • Part of subcall function 00408568: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049B4C0,00000001,?,00408633,?,00000000,00408712), ref: 00408586
                                                                                                              • Part of subcall function 004085B4: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087B6,?,?,?,00000000,00408968), ref: 004085C7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                            • API String ID: 1044490935-665933166
                                                                                                            • Opcode ID: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                                            • Instruction ID: 5c6fde8006682913ecab3173e7335377554a92ac61a87523d81808753b4ec1a9
                                                                                                            • Opcode Fuzzy Hash: 99a58aab46255149f4b24f4520dbd6929c7443738739b227c4cc8c7d24f61a81
                                                                                                            • Instruction Fuzzy Hash: 7D516C24B00108ABDB01FBA69E4169EB7A9DB94308F50C07FA181BB3C3CE3DDA05975D
                                                                                                            Function 004116F4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetVersion.KERNEL32(00000000,004118F9), ref: 0041178C
                                                                                                            • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041184A
                                                                                                              • Part of subcall function 00411AAC: CreatePopupMenu.USER32 ref: 00411AC6
                                                                                                            • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118D6
                                                                                                              • Part of subcall function 00411AAC: CreateMenu.USER32 ref: 00411AD0
                                                                                                            • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118BD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                                            • String ID: ,$?
                                                                                                            • API String ID: 2359071979-2308483597
                                                                                                            • Opcode ID: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                                            • Instruction ID: ecf66c9774bccec907b621c371347452b74b7622051e058d8a4a73451c3e974f
                                                                                                            • Opcode Fuzzy Hash: 4986dcd06abefbee5f666d79fc26290c702fe8a84b14e195092edf3558bd7871
                                                                                                            • Instruction Fuzzy Hash: D7510674A00245ABDB10EF6ADC816EA7BF9AF09304B11857BF904E73A6D738DD41CB58
                                                                                                            Function 0041BE63 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BF28
                                                                                                            • GetObjectA.GDI32(?,00000018,?), ref: 0041BF37
                                                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BF88
                                                                                                            • GetBitmapBits.GDI32(?,?,?), ref: 0041BF96
                                                                                                            • DeleteObject.GDI32(?), ref: 0041BF9F
                                                                                                            • DeleteObject.GDI32(?), ref: 0041BFA8
                                                                                                            • CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFC5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                                            • String ID:
                                                                                                            • API String ID: 1030595962-0
                                                                                                            • Opcode ID: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                                            • Instruction ID: 74cae3b7aa7aab4ce12a2fbd062d204c5c4082198076ec6df892ad84fd278e80
                                                                                                            • Opcode Fuzzy Hash: dabea464bc85c36b4411cc83672e19ff5768c85fc4c65aec36842f1966395034
                                                                                                            • Instruction Fuzzy Hash: 6A510671A002199FCB10DFA9C9819EEB7F9EF48314B11416AF914E7395D738AD41CB68
                                                                                                            Function 0041CED8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CEFE
                                                                                                            • GetDeviceCaps.GDI32(00000000,00000026), ref: 0041CF1D
                                                                                                            • SelectPalette.GDI32(?,?,00000001), ref: 0041CF83
                                                                                                            • RealizePalette.GDI32(?), ref: 0041CF92
                                                                                                            • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041CFFC
                                                                                                            • StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D03A
                                                                                                            • SelectPalette.GDI32(?,?,00000001), ref: 0041D05F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                                            • String ID:
                                                                                                            • API String ID: 2222416421-0
                                                                                                            • Opcode ID: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                                            • Instruction ID: 4b814cf558339e083a7fb5ccd56fb4ffad9fd0a27a4bfdacf16c2dd2476febac
                                                                                                            • Opcode Fuzzy Hash: 5be0e4e6833feb243a8d388dd1011de92277052336d3d318ec39d49e9b6efc72
                                                                                                            • Instruction Fuzzy Hash: D2515EB0604200AFDB14DFA8C985F9BBBE9EF08304F10459AB549DB292C778ED81CB58
                                                                                                            Function 004572DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(00000000,?,?), ref: 0045732E
                                                                                                              • Part of subcall function 0042427C: GetWindowTextA.USER32(?,?,00000100), ref: 0042429C
                                                                                                              • Part of subcall function 0041EEA4: GetCurrentThreadId.KERNEL32 ref: 0041EEF3
                                                                                                              • Part of subcall function 0041EEA4: EnumThreadWindows.USER32(00000000,0041EE54,00000000), ref: 0041EEF9
                                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457395
                                                                                                            • TranslateMessage.USER32(?), ref: 004573B3
                                                                                                            • DispatchMessageA.USER32(?), ref: 004573BC
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                                            • String ID: [Paused]
                                                                                                            • API String ID: 1007367021-4230553315
                                                                                                            • Opcode ID: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                                            • Instruction ID: a72840e20965590be0df7748d4dcd1bfe023db3bc5775872eefead19b10ec59e
                                                                                                            • Opcode Fuzzy Hash: 138259db96aaba9c66cb09bcf6582550d327018b684ee04c4d651f5f89e9d65e
                                                                                                            • Instruction Fuzzy Hash: 633175319082449ADB11DBB9EC81B9E7FB8EF49314F5540B7EC00E7292D73C9909DB69
                                                                                                            Function 0046B420 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCursor.USER32(00000000,0046B55F), ref: 0046B4DC
                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 0046B4EA
                                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4F0
                                                                                                            • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B4FA
                                                                                                            • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046B55F), ref: 0046B500
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Cursor$LoadSleep
                                                                                                            • String ID: CheckPassword
                                                                                                            • API String ID: 4023313301-1302249611
                                                                                                            • Opcode ID: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                                            • Instruction ID: 9465d4cba05e43c3341d6d018928b45656d3fee3f016636846a90655da25d4f4
                                                                                                            • Opcode Fuzzy Hash: 301d54e166a0b4011b0937e4b70ed1e1b4ade500f65d2603abaf2adc357acc1d
                                                                                                            • Instruction Fuzzy Hash: D0316334740204AFD711EF69C899B9A7BE4EF45308F5580B6F9049B3A2D7789E40CB99
                                                                                                            Function 00477C6C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00477B94: GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                                              • Part of subcall function 00477B94: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                                              • Part of subcall function 00477B94: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                                            • SendMessageA.USER32(00000000,0000004A,00000000,00478026), ref: 00477CA1
                                                                                                            • GetTickCount.KERNEL32 ref: 00477CE6
                                                                                                            • GetTickCount.KERNEL32 ref: 00477CF0
                                                                                                            • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00477D45
                                                                                                            Strings
                                                                                                            • CallSpawnServer: Unexpected response: $%x, xrefs: 00477CD6
                                                                                                            • CallSpawnServer: Unexpected status: %d, xrefs: 00477D2E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                                            • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                                            • API String ID: 613034392-3771334282
                                                                                                            • Opcode ID: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                                            • Instruction ID: 262cbc5b9954910938d5a1e8e32dc50db46ad6f301169d9d39307b56b522dac3
                                                                                                            • Opcode Fuzzy Hash: a349fc6668a2a279a7709dc0d92d626649643492524c5ed72309cd5f58a9f2ee
                                                                                                            • Instruction Fuzzy Hash: 87318474B042159EDB10EBB9C8867EE76A0AF08714F90807AB548EB392D67C9D4187AD
                                                                                                            Function 00459784 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045983F
                                                                                                            Strings
                                                                                                            • Failed to load .NET Framework DLL "%s", xrefs: 00459824
                                                                                                            • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045984A
                                                                                                            • .NET Framework CreateAssemblyCache function failed, xrefs: 00459862
                                                                                                            • CreateAssemblyCache, xrefs: 00459836
                                                                                                            • Fusion.dll, xrefs: 004597DF
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc
                                                                                                            • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                                            • API String ID: 190572456-3990135632
                                                                                                            • Opcode ID: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                                            • Instruction ID: 9a538673283cb431493768ab67eac729fe35d93f11f945e2dcd414e2b3f175b6
                                                                                                            • Opcode Fuzzy Hash: 64b7f7115ec2050a4f0e42ab113808549d669c8acfba7d9bf3bad921683fe547
                                                                                                            • Instruction Fuzzy Hash: A2318B70E10649ABCB10FFA5C88169EB7B8EF45315F50857BE814E7382DB389E08C799
                                                                                                            Function 0041C148 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041C048: GetObjectA.GDI32(?,00000018), ref: 0041C055
                                                                                                            • GetFocus.USER32 ref: 0041C168
                                                                                                            • GetDC.USER32(?), ref: 0041C174
                                                                                                            • SelectPalette.GDI32(?,?,00000000), ref: 0041C195
                                                                                                            • RealizePalette.GDI32(?), ref: 0041C1A1
                                                                                                            • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1B8
                                                                                                            • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C1E0
                                                                                                            • ReleaseDC.USER32(?,?), ref: 0041C1ED
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 3303097818-0
                                                                                                            • Opcode ID: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                                            • Instruction ID: 25a0b6576c779426e59073023ceed4ef49f3845c1b310514cd4f08ef327de147
                                                                                                            • Opcode Fuzzy Hash: 26117fda3ddcda01a6cc84f42a4f6ec069d0e010bd6cdd98afb854c6c7779a8d
                                                                                                            • Instruction Fuzzy Hash: 49116D71A44604BFDF10DBE9CC81FAFB7FCEB48700F50486AB518E7281DA7899008B28
                                                                                                            Function 00418C54 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemMetrics.USER32(0000000E), ref: 00418C70
                                                                                                            • GetSystemMetrics.USER32(0000000D), ref: 00418C78
                                                                                                            • 6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C7E
                                                                                                              • Part of subcall function 004107F8: 6F52C400.COMCTL32(0049B628,000000FF,00000000,00418CAC,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004107FC
                                                                                                            • 6F59CB00.COMCTL32(0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CCE
                                                                                                            • 6F59C740.COMCTL32(00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CD9
                                                                                                            • 6F59CB00.COMCTL32(0049B628,00000001,?,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000), ref: 00418CEC
                                                                                                            • 6F530860.COMCTL32(0049B628,00418D0F,?,00000000,?,0049B628,00000000,00000000,00000000,00000000,00418D08,?,00000000,0000000D,00000000,0000000E), ref: 00418D02
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MetricsSystem$C400C740F530860F532980
                                                                                                            • String ID:
                                                                                                            • API String ID: 209721339-0
                                                                                                            • Opcode ID: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                                            • Instruction ID: f48c8f8e6a400555c090207229051c9eae11b8a9b20c4da93df477ea8fa1a9e8
                                                                                                            • Opcode Fuzzy Hash: e2c7fe5230f8d2f143d47c0d6a7892a097693e1c100db4317caf46c6149257f7
                                                                                                            • Instruction Fuzzy Hash: 6B112475744204BBDB50EBA9EC82FAD73F8DB08704F504066B514EB2C1DAB9AD808759
                                                                                                            Function 00483C6C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00483D24), ref: 00483D09
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpen
                                                                                                            • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                                            • API String ID: 47109696-2530820420
                                                                                                            • Opcode ID: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                                            • Instruction ID: 212569cff1cfb7858b589fbdbabdc9c693f1f7cc945fcf11155ec0ddb5f1f406
                                                                                                            • Opcode Fuzzy Hash: e1bcbbbaaee85d585434023fd650e6813b785c41e8fbc068ac73575afb55ee56
                                                                                                            • Instruction Fuzzy Hash: CC117C30704244AADB10FF65D862B5E7BF9DB45B05F618877A800E7282EB78AE05875C
                                                                                                            Function 0041B462 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B470
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B47F
                                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4AB
                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B4B9
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B4C7
                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B4D0
                                                                                                            • DeleteDC.GDI32(?), ref: 0041B4D9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ObjectSelect$Delete$Stretch
                                                                                                            • String ID:
                                                                                                            • API String ID: 1458357782-0
                                                                                                            • Opcode ID: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                            • Instruction ID: 052e9154069abc57648b404522aaf552eddfcc6d95cd3388d63b7ef9ce004286
                                                                                                            • Opcode Fuzzy Hash: 8542cbb8adbe0fd8af4a730cfe3faeef428ae57c020086fb9cb954466ea4b08d
                                                                                                            • Instruction Fuzzy Hash: 7B115C72E40619ABDB10DAD9DC86FEFB7BCEF08704F144555B614F7282C678AC418BA8
                                                                                                            Function 00423394 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCursorPos.USER32 ref: 004233AF
                                                                                                            • WindowFromPoint.USER32(?,?), ref: 004233BC
                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233CA
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004233D1
                                                                                                            • SendMessageA.USER32(00000000,00000084,?,?), ref: 004233EA
                                                                                                            • SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423401
                                                                                                            • SetCursor.USER32(00000000), ref: 00423413
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1770779139-0
                                                                                                            • Opcode ID: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                            • Instruction ID: 22bb490dc700fc35bbf8fe9eba0271ced42fa0644d0760cf779c582944844a3d
                                                                                                            • Opcode Fuzzy Hash: 134875e674979cd567c136abb418dc525a6250aa5b529fa10794d0eebf3240cc
                                                                                                            • Instruction Fuzzy Hash: BA01D4223046103AD6217B755D82E2F26E8DB85B15F50407FF504BB283DA3D9D11937D
                                                                                                            Function 0049532C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0049533C
                                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00495349
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00495356
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                            • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                                            • API String ID: 667068680-2254406584
                                                                                                            • Opcode ID: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                                            • Instruction ID: d6622564654ba01390171a2dbbf88ec7785202fdd48675fe733a6c53722864ad
                                                                                                            • Opcode Fuzzy Hash: 5579b8dc187442e7c517f6558358e9e0fd6dcc5405420102cd7b083255a2d8af
                                                                                                            • Instruction Fuzzy Hash: 7EF0F692741F156ADA3121660C41B7F6B8CCB917B1F240137BE44A7382E9ED8C0047ED
                                                                                                            Function 0045D688 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045D691
                                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045D6A1
                                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045D6B1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc
                                                                                                            • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                                            • API String ID: 190572456-212574377
                                                                                                            • Opcode ID: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                                            • Instruction ID: 26f5c6c79611f6cc0facecefa5b4932716cc5d8e9f8ea2477ead0514974f6e87
                                                                                                            • Opcode Fuzzy Hash: 0c00d940adfee3eed657d73ca32928dd6beaef8d72542be6af97d79d08c28db7
                                                                                                            • Instruction Fuzzy Hash: 0EF01DB0D00705DFD724EFB6ACC672736D5AB6831AF50813B990E95262D778045ACF2C
                                                                                                            Function 0042EA1C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,004812C8), ref: 0042EA35
                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EA3B
                                                                                                            • InterlockedExchange.KERNEL32(0049B668,00000001), ref: 0042EA4C
                                                                                                              • Part of subcall function 0042E9AC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                                              • Part of subcall function 0042E9AC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                                              • Part of subcall function 0042E9AC: InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                                            • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042EA60
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                                            • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                                            • API String ID: 142928637-2676053874
                                                                                                            • Opcode ID: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                                            • Instruction ID: 20967f7a279d57b19857f2ad39d34e10c6be6de8430a8d3efc5b40b14e24a4c3
                                                                                                            • Opcode Fuzzy Hash: 2e6935975283b392abf6eb535232e6e33c7297ce4864da2c850d0b2669d54df9
                                                                                                            • Instruction Fuzzy Hash: 99E092A1741B20EAEA10B7B67C86FAA2658EB1076DF500037F100A51F1C3BD1C80CE9E
                                                                                                            Function 0044C7DC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(oleacc.dll,?,0044F089), ref: 0044C7EB
                                                                                                            • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C7FC
                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C80C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                            • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                                            • API String ID: 2238633743-1050967733
                                                                                                            • Opcode ID: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                                            • Instruction ID: d6497c9818d993b67a5702c7731996643d684f189bbd4b702b1f6e54e13363b7
                                                                                                            • Opcode Fuzzy Hash: 580db4225bb49e0f2395934ae602c4dd6ca827d8c76c18c7318a842ee4a54372
                                                                                                            • Instruction Fuzzy Hash: 50F0DA70282305CAE750BBB5FDD57263694E3A470AF18277BE841551A2C7B94844CB8C
                                                                                                            Function 00478C20 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00498C24), ref: 00478C26
                                                                                                            • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00478C33
                                                                                                            • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00478C43
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                            • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                                            • API String ID: 667068680-222143506
                                                                                                            • Opcode ID: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                                            • Instruction ID: 32a0137ea675787c0bb1f7a77b9c903aea73f6d33f3aa717a8ad139b0a70eb03
                                                                                                            • Opcode Fuzzy Hash: 81267d710db967c56e7e702a34d1e8b60bf08845a808e06a5f27e56110be3c01
                                                                                                            • Instruction Fuzzy Hash: 4DC0C9F02C1700EEAA01B7B11DCAA7A255CC500728320843F7049BA182D97C0C104F3C
                                                                                                            Function 0041B508 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFocus.USER32 ref: 0041B57E
                                                                                                            • GetDC.USER32(?), ref: 0041B58A
                                                                                                            • GetDeviceCaps.GDI32(?,00000068), ref: 0041B5A6
                                                                                                            • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5C3
                                                                                                            • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041B5DA
                                                                                                            • ReleaseDC.USER32(?,?), ref: 0041B626
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                                            • String ID:
                                                                                                            • API String ID: 2502006586-0
                                                                                                            • Opcode ID: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                                            • Instruction ID: 1753bd22f5710d4f749a3cf2d8329d0f84e6490acb09e3fae29671003709e3a5
                                                                                                            • Opcode Fuzzy Hash: e956e6ae92597662ed98b2f51c6b506043ab8b509e5ceb21f610fa5f8f95298e
                                                                                                            • Instruction Fuzzy Hash: D0410631A04258AFDF10DFA9C885AAFBBB4EF59704F1484AAF500EB351D3389D51CBA5
                                                                                                            Function 0045D04C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                                            • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D184,?,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0F6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast
                                                                                                            • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                                            • API String ID: 1452528299-1580325520
                                                                                                            • Opcode ID: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                                            • Instruction ID: 81e1e27ad3ae8d1ea1d6b81b4c13ff0be47bc54c17845d393ef4ad8e2f10c1e8
                                                                                                            • Opcode Fuzzy Hash: 44daac30ba6290961f85a10f910adeebe56024b8db7d764ffa7b36a0de599fb3
                                                                                                            • Instruction Fuzzy Hash: 2C117535A04608AFD731DA91C942B9EB6ADDF4470AF6040776D00572C3D67C5F0B992E
                                                                                                            Function 0041BD8C Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BDD5
                                                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BDDF
                                                                                                            • GetDC.USER32(00000000), ref: 0041BDE9
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0041BE10
                                                                                                            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0041BE1D
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041BE56
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CapsDeviceMetricsSystem$Release
                                                                                                            • String ID:
                                                                                                            • API String ID: 447804332-0
                                                                                                            • Opcode ID: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                                            • Instruction ID: d5b995c8e3894394b735eabd433659eae54025482fea58e306a85006fdca5b97
                                                                                                            • Opcode Fuzzy Hash: 3bdc6123dd6674b0137b7fef1a93c0b96d54f33e4692062cf67464f69f8f60e7
                                                                                                            • Instruction Fuzzy Hash: E5212A74E04648AFEB00EFA9C941BEEB7B4EB48714F10846AF514B7690D7785940CB69
                                                                                                            Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,00401B68), ref: 00401ABD
                                                                                                            • LocalFree.KERNEL32(005CECC0,00000000,00401B68), ref: 00401ACF
                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,005CECC0,00000000,00401B68), ref: 00401AEE
                                                                                                            • LocalFree.KERNEL32(005CFCC0,?,00000000,00008000,005CECC0,00000000,00401B68), ref: 00401B2D
                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B58
                                                                                                            • RtlDeleteCriticalSection.KERNEL32(0049B420,00401B6F), ref: 00401B62
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 3782394904-0
                                                                                                            • Opcode ID: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                            • Instruction ID: 79795942c165c44483fb09e1962e32eaca51f8de38df00e9c029d8aa05623ce8
                                                                                                            • Opcode Fuzzy Hash: ef0d8b2142be7cf42810e170793bf0a6b8446fdea194a224c38922696d0a74e0
                                                                                                            • Instruction Fuzzy Hash: 3B118E30A003405AEB15AB65BE85B263BA5D761B08F44407BF80067BF3D77C5850E7AE
                                                                                                            Function 0047E758 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047E766
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046CD49), ref: 0047E78C
                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047E79C
                                                                                                            • SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047E7BD
                                                                                                            • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047E7D1
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047E7ED
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$Long$Show
                                                                                                            • String ID:
                                                                                                            • API String ID: 3609083571-0
                                                                                                            • Opcode ID: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                                            • Instruction ID: 463a5c2536fff799c7bf7cf61cbf8045bc8b98cac2b0bb45a0840e8ed8c25010
                                                                                                            • Opcode Fuzzy Hash: ff63fb1e20feffedf8b27b7393a281f73df7108790e31fa3444cbd3f3be65d10
                                                                                                            • Instruction Fuzzy Hash: 53010CB5641210ABEA00D769DE81F6637D8AB1C320F0943A6B959DF3E3C738EC408B49
                                                                                                            Function 0041B270 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041A6E0: CreateBrushIndirect.GDI32 ref: 0041A74B
                                                                                                            • UnrealizeObject.GDI32(00000000), ref: 0041B27C
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B28E
                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B2B1
                                                                                                            • SetBkMode.GDI32(?,00000002), ref: 0041B2BC
                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B2D7
                                                                                                            • SetBkMode.GDI32(?,00000001), ref: 0041B2E2
                                                                                                              • Part of subcall function 0041A058: GetSysColor.USER32(?), ref: 0041A062
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                                            • String ID:
                                                                                                            • API String ID: 3527656728-0
                                                                                                            • Opcode ID: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                            • Instruction ID: d03b18a2b949c207061bd18b8e5d47ed8ce294e6be165222704fda36eef26a4f
                                                                                                            • Opcode Fuzzy Hash: 90af7722afa79acc590a6ee3060039fb524340e2cf7ce152cccbdcb584e8dbde
                                                                                                            • Instruction Fuzzy Hash: 56F0CD756015009BDE00FFAAD9CBE4B3B989F043097048496B908DF187CA3CD8649B3A
                                                                                                            Function 004538BC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539AB
                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,!nI,_iu,?,00000000,004539F6), ref: 004539BB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateFileHandle
                                                                                                            • String ID: !nI$.tmp$_iu
                                                                                                            • API String ID: 3498533004-584216493
                                                                                                            • Opcode ID: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                                            • Instruction ID: 7da7e9bbb2667b7856572ae533a3071efe8e017fb0344d9459fa270775feb22d
                                                                                                            • Opcode Fuzzy Hash: 1dee75e2bfc2da78c26475f080e8b0a4db6a1a73d39b0bf1d20dabbe4352c150
                                                                                                            • Instruction Fuzzy Hash: 1831C5B0A00249ABCB11EF95D842B9EBBB4AF44345F20453AF810B73C2D7785F058B69
                                                                                                            Function 00497D5C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                            • ShowWindow.USER32(?,00000005,00000000,00497FC1,?,?,00000000), ref: 00497D92
                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                              • Part of subcall function 004072A8: SetCurrentDirectoryA.KERNEL32(00000000,?,00497DBA,00000000,00497F8D,?,?,00000005,00000000,00497FC1,?,?,00000000), ref: 004072B3
                                                                                                              • Part of subcall function 0042D44C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4DA,?,?,?,00000001,?,0045607E,00000000,004560E6), ref: 0042D481
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                                            • String ID: .dat$.msg$IMsg$Uninstall
                                                                                                            • API String ID: 3312786188-1660910688
                                                                                                            • Opcode ID: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                                            • Instruction ID: abb28459e614be91aca1b68aa70fad33032f6e559e3bf784a216f74f74fa669e
                                                                                                            • Opcode Fuzzy Hash: f79b411802c9da3a9116882e1755ce4b3781acbc659f3f1c23c36e526850363e
                                                                                                            • Instruction Fuzzy Hash: 89314F34A14114AFCB00EF65DD9296E7BB5EF89314F91857AF800AB395DB38BD01CB68
                                                                                                            Function 0042EAA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EADA
                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EAE0
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EB09
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                                            • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                                            • API String ID: 828529508-2866557904
                                                                                                            • Opcode ID: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                                            • Instruction ID: 7e091cf0cf0c4dae12ae48626bdfb721f4796128e550bb25d34418d77cfbcdd5
                                                                                                            • Opcode Fuzzy Hash: eb577c3347fbf9fd6a249885fcfc34f4074b2fa1c1d8d6afc25abb851ecf655c
                                                                                                            • Instruction Fuzzy Hash: 70F0C8D034061136E620B57F5C82F7B598C8F94759F140436B109E62C2D96CA905426E
                                                                                                            Function 00457FF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF), ref: 00458028
                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00458049
                                                                                                            • CloseHandle.KERNEL32(?,0045807C), ref: 0045806F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                                            • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                                            • API String ID: 2573145106-3235461205
                                                                                                            • Opcode ID: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                                            • Instruction ID: 2f0632834368beac7d1c7250186d6a5b4d0e74160b608b18ba1b2b0c741dc3d5
                                                                                                            • Opcode Fuzzy Hash: f4b7924840392a1c056809c60f673386a353f05297e24ea8de8fb179b7d06f04
                                                                                                            • Instruction Fuzzy Hash: 8101A231600204AFD710EBA98C02A5A73A8EB49B25F51407BFC10E73D3DE399E08965D
                                                                                                            Function 0042E9AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EA70,00000004,00499934,004571F1,00457594,00457148,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E9C2
                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9C8
                                                                                                            • InterlockedExchange.KERNEL32(0049B660,00000001), ref: 0042E9D9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                                            • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                            • API String ID: 3478007392-2498399450
                                                                                                            • Opcode ID: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                                            • Instruction ID: c922fa4e85abb1c6873f36dcd01b6443d81c66d6c3501223796626af46e79b09
                                                                                                            • Opcode Fuzzy Hash: 3254194633b527647525dea76c004eb0f33bc99a9c522dc813bf1be520244ffe
                                                                                                            • Instruction Fuzzy Hash: 5CE0ECB2740324EADA103B627E8AF663558E724B19F50043BF001751F1C7FD1C80CA9E
                                                                                                            Function 00477B94 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00477B9C
                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00477C93,0049C0A8,00000000), ref: 00477BAF
                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00477BB5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                                            • String ID: AllowSetForegroundWindow$user32.dll
                                                                                                            • API String ID: 1782028327-3855017861
                                                                                                            • Opcode ID: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                                            • Instruction ID: d51ed2a8d8be4cb67b0f2e6afaff03014389f5b4c9f6752a27b175deb1fe6994
                                                                                                            • Opcode Fuzzy Hash: 0c48b0152dcd94fde7082f0574e48419f86d5c04df14efc0ca492c8631bf730a
                                                                                                            • Instruction Fuzzy Hash: D7D0C790248701B9D910B3F64D46E9F3A5D894471CB50C47BB418E61C5DA7CFD04893D
                                                                                                            Function 00416C2C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • BeginPaint.USER32(00000000,?), ref: 00416C52
                                                                                                            • SaveDC.GDI32(?), ref: 00416C83
                                                                                                            • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D45), ref: 00416CE4
                                                                                                            • RestoreDC.GDI32(?,?), ref: 00416D0B
                                                                                                            • EndPaint.USER32(00000000,?,00416D4C,00000000,00416D45), ref: 00416D3F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                                            • String ID:
                                                                                                            • API String ID: 3808407030-0
                                                                                                            • Opcode ID: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                                            • Instruction ID: 8164e3b37c2b38cc39b91ef4074089abf19b8963c3e0e5cbd12a4ce3d65b1abe
                                                                                                            • Opcode Fuzzy Hash: ad781fe6fb59047a66b80eb53a3f65b2019eba16d1c733f202b60e39d660354f
                                                                                                            • Instruction Fuzzy Hash: A1415070A002049FCB14DBA9C585FAA77F9FF48304F1540AEE8459B362D778DD81CB58
                                                                                                            Function 00414800 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                                            • Instruction ID: a833d86c80f2fb81cba799e3b93fc1891ddf3ebdd98a67124a25423b7ab76754
                                                                                                            • Opcode Fuzzy Hash: b6913cb722474124f75cff2ee5949f067bbdde1b56a592e148b6496e85af3d5a
                                                                                                            • Instruction Fuzzy Hash: 563132746057809FC320EF69C984B9BB7E8AF89354F04491EF9D5C3752C638E8818F19
                                                                                                            Function 004297CC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429808
                                                                                                            • SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429837
                                                                                                            • SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429853
                                                                                                            • SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042987E
                                                                                                            • SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0042989C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID:
                                                                                                            • API String ID: 3850602802-0
                                                                                                            • Opcode ID: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                                            • Instruction ID: 8b65b0e689063cc909dba6714575951256d1ad54ff8cece17fd29570ea6901c2
                                                                                                            • Opcode Fuzzy Hash: 399f588db94bb8b810bf5b46e1237ea7bfd7cbebe0e15a3dbf36720fb68daebb
                                                                                                            • Instruction Fuzzy Hash: 6E219D707107057BEB10AB62DC82F5B7AECAB41708F54443EB501AB2D2DFB8AE418228
                                                                                                            Function 0041BBB8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetSystemMetrics.USER32(0000000B), ref: 0041BBCA
                                                                                                            • GetSystemMetrics.USER32(0000000C), ref: 0041BBD4
                                                                                                            • GetDC.USER32(00000000), ref: 0041BC12
                                                                                                            • CreateDIBitmap.GDI32(00000000,?,00000004,?,?,00000000), ref: 0041BC59
                                                                                                            • DeleteObject.GDI32(00000000), ref: 0041BC9A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                                            • String ID:
                                                                                                            • API String ID: 1095203571-0
                                                                                                            • Opcode ID: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                                            • Instruction ID: 2a907a32995036c4e239f44386a828d3a2f1e7d44945ead90e55d18394f4d4ff
                                                                                                            • Opcode Fuzzy Hash: d6ecec59309c4539c21f746b1d4641e0a999657a412e1d938322a226e3514674
                                                                                                            • Instruction Fuzzy Hash: 5D315C70E00208EFDB04DFA5C941AAEB7F5EB48700F2084AAF514AB781D7789E40DB98
                                                                                                            Function 004735D8 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0045D04C: SetLastError.KERNEL32(00000057,00000000,0045D118,?,?,?,?,00000000), ref: 0045D0B7
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 00473665
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,004736AC,?,?,0049C1E0,00000000), ref: 0047367B
                                                                                                            Strings
                                                                                                            • Could not set permissions on the registry key because it currently does not exist., xrefs: 0047366F
                                                                                                            • Setting permissions on registry key: %s\%s, xrefs: 0047362A
                                                                                                            • Failed to set permissions on registry key (%d)., xrefs: 0047368C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast
                                                                                                            • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
                                                                                                            • API String ID: 1452528299-4018462623
                                                                                                            • Opcode ID: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                                            • Instruction ID: ad6b00cc897a6d1501f3fc6a2a631de3da5dc8c6e7b4eccdfad28332e4495c63
                                                                                                            • Opcode Fuzzy Hash: 2cd14b75b874af61ac3d45831295ca4897b993e1bd4af745d48f10d6dc1171d0
                                                                                                            • Instruction Fuzzy Hash: A121C870A046445FCB10DFA9C8826EEBBE4DF49319F50817BE408E7392D7785E098B6D
                                                                                                            Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                                            • String ID:
                                                                                                            • API String ID: 262959230-0
                                                                                                            • Opcode ID: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                                            • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                                            • Opcode Fuzzy Hash: dcd45591e65b03bd276bb2a5b0fabad56ebf76f0c081827c2345b0a7b763a240
                                                                                                            • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                                            Function 004143E0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414419
                                                                                                            • RealizePalette.GDI32(00000000), ref: 00414421
                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414435
                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041443B
                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00414446
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Palette$RealizeSelect$Release
                                                                                                            • String ID:
                                                                                                            • API String ID: 2261976640-0
                                                                                                            • Opcode ID: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                                            • Instruction ID: 3cc421e061c7a323c9855e33cbe13bf4890882f9e8533d15179bd5f7679f66d2
                                                                                                            • Opcode Fuzzy Hash: c9c8aa66f6917016d7555c0ac5b3df2d15848593dde74026b2272496f15e705b
                                                                                                            • Instruction Fuzzy Hash: A2018F7520C3806AE600A63D8C85A9F6BED9FCA718F15446EF495DB282DA7AC8018765
                                                                                                            Function 00424CE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 190COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0041F074: GetActiveWindow.USER32 ref: 0041F077
                                                                                                              • Part of subcall function 0041F074: GetCurrentThreadId.KERNEL32 ref: 0041F08C
                                                                                                              • Part of subcall function 0041F074: EnumThreadWindows.USER32(00000000,Function_0001F050), ref: 0041F092
                                                                                                              • Part of subcall function 004231A8: GetSystemMetrics.USER32(00000000), ref: 004231AA
                                                                                                            • OffsetRect.USER32(?,?,?), ref: 00424DC9
                                                                                                            • DrawTextA.USER32(00000000,00000000,000000FF,?,00000C10), ref: 00424E8C
                                                                                                            • OffsetRect.USER32(?,?,?), ref: 00424E9D
                                                                                                              • Part of subcall function 00423564: GetCurrentThreadId.KERNEL32 ref: 00423579
                                                                                                              • Part of subcall function 00423564: SetWindowsHookExA.USER32(00000003,00423520,00000000,00000000), ref: 00423589
                                                                                                              • Part of subcall function 00423564: CreateThread.KERNEL32(00000000,000003E8,004234D0,00000000,00000000), ref: 004235AD
                                                                                                              • Part of subcall function 00424B2C: SetTimer.USER32(00000000,00000001,?,004234B4), ref: 00424B47
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Thread$CurrentOffsetRectWindows$ActiveCreateDrawEnumHookMetricsSystemTextTimerWindow
                                                                                                            • String ID: vLB
                                                                                                            • API String ID: 1477829881-1797516613
                                                                                                            • Opcode ID: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                                            • Instruction ID: 1a85cd152e58b5c2614c87f396891e2b5808bef0cf689969089b0637ec596c27
                                                                                                            • Opcode Fuzzy Hash: af4d35ceb7da7411f9a909d8da5f62e109762c4c9dbecdeb02cfa42cc05a337b
                                                                                                            • Instruction Fuzzy Hash: C5812675A003188FCB14DFA8D880ADEBBF4FF88314F50416AE905AB296E738AD45CF44
                                                                                                            Function 00406FA4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407003
                                                                                                            • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 0040707D
                                                                                                            • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070D5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Enum$NameOpenResourceUniversal
                                                                                                            • String ID: Z
                                                                                                            • API String ID: 3604996873-1505515367
                                                                                                            • Opcode ID: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                                            • Instruction ID: 78f4b6eea80f90a9c0d6dbacb1000d6f5057f9b0a0312f2c839bfa0eabc808a5
                                                                                                            • Opcode Fuzzy Hash: a9e747af3270ad6827a26b5e12e82ea9da9777e5f51a79d453bfa0d7b97e4fbe
                                                                                                            • Instruction Fuzzy Hash: 14516470E04208AFDB11DF95C951AAFBBB9EF09304F1045BAE500BB3D1D778AE458B5A
                                                                                                            Function 0044CFC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetRectEmpty.USER32(?), ref: 0044D04E
                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D079
                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D101
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DrawText$EmptyRect
                                                                                                            • String ID:
                                                                                                            • API String ID: 182455014-2867612384
                                                                                                            • Opcode ID: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                                            • Instruction ID: ac611c4ae9e9b4e435f74cd3b872a097dcdbbef8ea8fa2dc8c743a2ef399c877
                                                                                                            • Opcode Fuzzy Hash: 9cefa38d4a8adbc35dceb9fbd70f94003a2f7c245499b58eac7a7a86e34dc042
                                                                                                            • Instruction Fuzzy Hash: 18517171E00248AFDB11DFA5C885BDEBBF8BF48308F18447AE845EB252D7789945CB64
                                                                                                            Function 0042EF74 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDC.USER32(00000000), ref: 0042EF9E
                                                                                                              • Part of subcall function 0041A1E8: CreateFontIndirectA.GDI32(?), ref: 0041A2A7
                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0042EFC1
                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0042F0A0
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                                            • String ID: ...\
                                                                                                            • API String ID: 3133960002-983595016
                                                                                                            • Opcode ID: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                                            • Instruction ID: de545d42c11d103cbad381cc3223c2b5efa9fdb4a6e9ae4bb0445229962d8c70
                                                                                                            • Opcode Fuzzy Hash: 174dea87e3c77845355dc2bffde9c2636390ac865bcfddee608935e642ca7c05
                                                                                                            • Instruction Fuzzy Hash: 5A316370B00128AFDB11EB96D841BAEB7F8EB09348F90447BE410A7392D7785E49CA59
                                                                                                            Function 00498210 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 00498280
                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00498B60,00000000,00498306,?,?,00000000,0049B628), ref: 004982A9
                                                                                                            • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 004982C2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$Attributes$Move
                                                                                                            • String ID: isRS-%.3u.tmp
                                                                                                            • API String ID: 3839737484-3657609586
                                                                                                            • Opcode ID: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                                            • Instruction ID: fc33356634acd7bce8b4c2965ae56e8bcff63ef6fc68eceab8a95db248f88364
                                                                                                            • Opcode Fuzzy Hash: 6425da845d9cf075168c9006b2f4cde8adeeb665172db9fe24e9d2d56fbf6a76
                                                                                                            • Instruction Fuzzy Hash: 0B216471E00609ABCF10EFA9C8819AFBBB8AF45714F10457FB814B72D1DB389E018A59
                                                                                                            Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                                            • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExitMessageProcess
                                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                                            • API String ID: 1220098344-2970929446
                                                                                                            • Opcode ID: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                            • Instruction ID: e2df0dcbf1ce8e07228a8ae3c957e3f7be2bf5582065763199918d440bd3f461
                                                                                                            • Opcode Fuzzy Hash: 4aa0907dffceb0697d192a833af99b379258e6819ee5eddde657f3822e72bbb6
                                                                                                            • Instruction Fuzzy Hash: 8E219560A442414ADB11A779BA8571B3B91D7E5348F04817BE710A73E3C77C8C4487ED
                                                                                                            Function 00456BFC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042C804: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C828
                                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                            • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00456C50
                                                                                                            • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00456C7D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                                            • String ID: LoadTypeLib$RegisterTypeLib
                                                                                                            • API String ID: 1312246647-2435364021
                                                                                                            • Opcode ID: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                                            • Instruction ID: 3ed1135b8019c5f4588910a0035f5c9e1cabb82a18fedb82429c118dce795412
                                                                                                            • Opcode Fuzzy Hash: 99adc2ab1761f2fa15f1ac99c5dc87c93e60f5f8f6cafab150dd189b668492eb
                                                                                                            • Instruction Fuzzy Hash: 2911B430B00604AFDB02EFA6CD51A5EB7BDEB89705F5184B6FC44D3752DA389904CA24
                                                                                                            Function 00457154 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 0045716E
                                                                                                            • SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 0045720B
                                                                                                            Strings
                                                                                                            • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 0045719A
                                                                                                            • Failed to create DebugClientWnd, xrefs: 004571D4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend
                                                                                                            • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                                            • API String ID: 3850602802-3720027226
                                                                                                            • Opcode ID: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                                            • Instruction ID: a6ca84080c04e90ac639e3db27cd2c1e4b46fe4ea5f20cae781d9f83c3d7e460
                                                                                                            • Opcode Fuzzy Hash: 3689ec14d1edae2f57f0a744906126f7255bff4f1947e1d6bbead030c2853570
                                                                                                            • Instruction Fuzzy Hash: 1011E770248240AFD710AB69AC85B5FBBD89B54319F15407AFA849B383D7798C18C7AE
                                                                                                            Function 004786EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 004242C4: SetWindowTextA.USER32(?,00000000), ref: 004242DC
                                                                                                            • GetFocus.USER32 ref: 00478757
                                                                                                            • GetKeyState.USER32(0000007A), ref: 00478769
                                                                                                            • WaitMessage.USER32(?,00000000,00478790,?,00000000,004787B7,?,?,00000001,00000000,?,?,?,00480402,00000000,004812C8), ref: 00478773
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FocusMessageStateTextWaitWindow
                                                                                                            • String ID: Wnd=$%x
                                                                                                            • API String ID: 1381870634-2927251529
                                                                                                            • Opcode ID: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                                            • Instruction ID: f17a5035e7dee30901ec9a03c3a5a372f1d0714b29ccd98a4f066b2945bd060b
                                                                                                            • Opcode Fuzzy Hash: c0ca7a1e78f0957e158d44939737d51478939e9ac1b0c689120181bc9166dade
                                                                                                            • Instruction Fuzzy Hash: CE11C634A40244AFD704EF65DC49A9EBBF8EB49314F6184BFF409E7681DB386D00CA69
                                                                                                            Function 0046E610 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046E618
                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046E627
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Time$File$LocalSystem
                                                                                                            • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                                            • API String ID: 1748579591-1013271723
                                                                                                            • Opcode ID: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                                            • Instruction ID: 5dd65cae4c1adac9d47cc9ad6336eda1851498fedff4a8a979bd050f9c4a6815
                                                                                                            • Opcode Fuzzy Hash: 93d3f9926fe1e9ec47fc0153e923e0389e011619b8f85a7a05f57e02ab74589b
                                                                                                            • Instruction Fuzzy Hash: A81136A440C3909ED340DF2AC04432BBAE4AB99704F44892EF8C8C6381E779C848DBB7
                                                                                                            Function 00453F76 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 00453F83
                                                                                                              • Part of subcall function 00406F50: DeleteFileA.KERNEL32(00000000,0049B628,004986F1,00000000,00498746,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F5B
                                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00453FA8
                                                                                                              • Part of subcall function 0045349C: GetLastError.KERNEL32(00000000,00454031,00000005,00000000,00454066,?,?,00000000,0049B628,00000004,00000000,00000000,00000000,?,004983A5,00000000), ref: 0045349F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: File$AttributesDeleteErrorLastMove
                                                                                                            • String ID: DeleteFile$MoveFile
                                                                                                            • API String ID: 3024442154-139070271
                                                                                                            • Opcode ID: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                                            • Instruction ID: b5871bee3d194af1fa843ac656f6d820fc0ba16d57580c91db5694710367c43f
                                                                                                            • Opcode Fuzzy Hash: ad4ba0b838e9d5317ad6887f6d8cb75152b6b17696a4ed4ee46c007163692804
                                                                                                            • Instruction Fuzzy Hash: AEF062716142045BD701FBA2D84266EA7ECDB8435EF60443BB900BB6C3DA3C9E094529
                                                                                                            Function 00459364 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,004594A1,00000000,00459659,?,00000000,00000000,00000000), ref: 004593B1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpen
                                                                                                            • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                                            • API String ID: 47109696-2631785700
                                                                                                            • Opcode ID: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                                            • Instruction ID: 1950c6f853cc10ed35e504d9d8503a730f6ffd27dc9bba4e9fa27fab35675349
                                                                                                            • Opcode Fuzzy Hash: be4fb59b900ee74e718d87cdc4fcd1eef43a9c564c0a5ec1af3f625bb6e6dd39
                                                                                                            • Instruction Fuzzy Hash: 12F0AF31300110DBCB10EB9AD885B6F6299DB9931AF50503BF981DB293E73CCC168629
                                                                                                            Function 00483BC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C05
                                                                                                            • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00483C28
                                                                                                            Strings
                                                                                                            • System\CurrentControlSet\Control\Windows, xrefs: 00483BD2
                                                                                                            • CSDVersion, xrefs: 00483BFC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                            • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                                            • API String ID: 3677997916-1910633163
                                                                                                            • Opcode ID: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                                            • Instruction ID: 1d850e848a14c5c59b8e95f13e5f63a8fb365af486cc5d6c9f9b701d22fca986
                                                                                                            • Opcode Fuzzy Hash: 33fca6af7241f4b653fe53c350a6e88c669f1de2ef3da1c7a1752152dae0c121
                                                                                                            • Instruction Fuzzy Hash: 56F03176E40208A6DF10EAD48C45BAFB3BCAB14B05F104967EA10F7280E678AB048B59
                                                                                                            Function 0042D8F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,00453B5A,00000000,00453BFD,?,?,00000000,00000000,00000000,00000000,00000000,?,00453FED,00000000), ref: 0042D90A
                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D910
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                                            • API String ID: 1646373207-4063490227
                                                                                                            • Opcode ID: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                                            • Instruction ID: 657275fb9dfacbe144619f02b172540cf2f0c5a6f4252bec6bd03a25d2dd35a2
                                                                                                            • Opcode Fuzzy Hash: 3965e48138ab8598cb17ff311cd558fd433aca8a834515e354a81fb776e31baf
                                                                                                            • Instruction Fuzzy Hash: A5E0DFE0B40B0122D70032BA1C82B6B108D4B84728F90053B3894E62D6DDBCD9840A6D
                                                                                                            Function 0042EB54 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EAD0), ref: 0042EB62
                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EB68
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                                            • API String ID: 1646373207-260599015
                                                                                                            • Opcode ID: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                                            • Instruction ID: e1ec077e445c8734ae54db5ffdd633522f5c412f0b7fee52e54de0d29bb4c321
                                                                                                            • Opcode Fuzzy Hash: 88ce12e330a2fc51ece58c284b54de3a76b504cb94a4c995bd1a3fb2c6ea0693
                                                                                                            • Instruction Fuzzy Hash: A2D0C793311732665D10B1F73CD1EAB058C891527935404B7F515E5641D55DEC1115AD
                                                                                                            Function 0044F744 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,00498BF2), ref: 0044F77F
                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044F785
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: NotifyWinEvent$user32.dll
                                                                                                            • API String ID: 1646373207-597752486
                                                                                                            • Opcode ID: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                                            • Instruction ID: 5e946f17392c81a4f172a46fe169fb9a1f72c9003761a5edf28bd31acc2f1150
                                                                                                            • Opcode Fuzzy Hash: f97c3de5cacafbf63d36e16939e29d51eb7e912e87a0fb2b79f6fc39cd446e20
                                                                                                            • Instruction Fuzzy Hash: 59E012F0E417049AFF00BBB57B86B1A3A90E764719B00057FF414A6292DB7C481C4F9D
                                                                                                            Function 00498968 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00498C48,00000001,00000000,00498C6C), ref: 00498972
                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00498978
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                                            • API String ID: 1646373207-834958232
                                                                                                            • Opcode ID: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                                            • Instruction ID: 34f838485a85c0df890c3e192e44216071158a5cea444d63bbc0a0b2480586ef
                                                                                                            • Opcode Fuzzy Hash: 71af8591fbce5d4533a7188bae6238bebf63b2f5996384562a89c67780edd1c3
                                                                                                            • Instruction Fuzzy Hash: 22B002C0651707589D5032FA0D06B3F48484C5276D728057F3414A51C6DD6C89115D3F
                                                                                                            Function 004645F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0044B658: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044F775,00498BF2), ref: 0044B67F
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044B697
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044B6A9
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044B6BB
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044B6CD
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6DF
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044B6F1
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044B703
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044B715
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044B727
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044B739
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044B74B
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044B75D
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044B76F
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044B781
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044B793
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044B7A5
                                                                                                              • Part of subcall function 0044B658: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B7B7
                                                                                                            • LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,00498C1A), ref: 00464603
                                                                                                            • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00464609
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                            • API String ID: 2238633743-2683653824
                                                                                                            • Opcode ID: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                                            • Instruction ID: ed4894befccbfeda2ad80f7d1b9e1cb4df1a551eae9986247d0c145e26b1cd95
                                                                                                            • Opcode Fuzzy Hash: edc6f8ec64a36a5908760ff58e990ea99ea877eb638915fc896b3384d426fa6b
                                                                                                            • Instruction Fuzzy Hash: DDB092D0A82740A4C90077F2985B90F2A4488A271EB10153B710476483EABC84100EAE
                                                                                                            Function 0047D67C Relevance: 6.2, APIs: 4, Instructions: 195fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54), ref: 0047D7CC
                                                                                                            • FindClose.KERNEL32(000000FF,0047D7F7,0047D7F0,?,?,?,?,00000000,0047D945,?,?,?,00000000,?,0047DA54,00000000), ref: 0047D7EA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Find$CloseFileNext
                                                                                                            • String ID:
                                                                                                            • API String ID: 2066263336-0
                                                                                                            • Opcode ID: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                                            • Instruction ID: 2ce97de6e4eb512f8d4c2eb376340b964b0e691095a652a34be041e4083b4e02
                                                                                                            • Opcode Fuzzy Hash: df8c12b404288ac1cc0f16a4307cfa19f630790b74cd409a531bdd723e619500
                                                                                                            • Instruction Fuzzy Hash: 07813A74D0024D9FCF11EFA5CC91ADFBBB8EF49304F5080AAE908A7291D6399A46CF54
                                                                                                            Function 004755AC Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042EE30: GetTickCount.KERNEL32 ref: 0042EE36
                                                                                                              • Part of subcall function 0042EC88: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042ECBD
                                                                                                            • GetLastError.KERNEL32(00000000,00475721,?,?,0049C1E0,00000000), ref: 0047560A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CountErrorFileLastMoveTick
                                                                                                            • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                                            • API String ID: 2406187244-2685451598
                                                                                                            • Opcode ID: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                                            • Instruction ID: cfe7f312216358cbd0971b398f0cafde252de4893b1317a5ce8d70824cf78b76
                                                                                                            • Opcode Fuzzy Hash: b4e541c37b522712e9a51433fba2d6f7c47cca6c6c5b44fd3a0118cd85a505a9
                                                                                                            • Instruction Fuzzy Hash: 4D418570A006099BDB10EFA5D882AEF77B5FF48314F508537E408BB395D7789A058BA9
                                                                                                            Function 00413CF8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetDesktopWindow.USER32 ref: 00413D46
                                                                                                            • GetDesktopWindow.USER32 ref: 00413DFE
                                                                                                              • Part of subcall function 00418EC0: 6F59C6F0.COMCTL32(?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EDC
                                                                                                              • Part of subcall function 00418EC0: ShowCursor.USER32(00000001,?,00000000,00413FC3,00000000,004140D3,?,?,0049B628), ref: 00418EF9
                                                                                                            • SetCursor.USER32(00000000,?,?,?,?,00413AF3,00000000,00413B06), ref: 00413E3C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CursorDesktopWindow$Show
                                                                                                            • String ID:
                                                                                                            • API String ID: 2074268717-0
                                                                                                            • Opcode ID: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                                            • Instruction ID: d0219f8535474b9b7e790bb207accfb6dce16a9ac66decbe361331da1304c66b
                                                                                                            • Opcode Fuzzy Hash: 48e3412c1a46991eea637d4b1b247886da5b7466a2ee9d80c19fa9edf3c8b710
                                                                                                            • Instruction Fuzzy Hash: 91412C75600210AFC710DF2AFA84B56B7E1EB65329B16817BE405CB365DB38DD81CF98
                                                                                                            Function 00408A54 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A75
                                                                                                            • LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AE4
                                                                                                            • LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B7F
                                                                                                            • MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BBE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LoadString$FileMessageModuleName
                                                                                                            • String ID:
                                                                                                            • API String ID: 704749118-0
                                                                                                            • Opcode ID: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                                            • Instruction ID: 7d65b0a5aa49ad722f3f3263bbe29e3330acee4661d9e2153cfe083702b22da2
                                                                                                            • Opcode Fuzzy Hash: ede814ba8b2c905ab74f80468cae56b5ab65d73ed59c96bbcc76a4520df8398d
                                                                                                            • Instruction Fuzzy Hash: 1F3123716083849AD370EB65C945BDF77D89B85704F40483FB6C8E72D1EB7859048B6B
                                                                                                            Function 0044E8C4 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E90D
                                                                                                              • Part of subcall function 0044CF50: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044CF82
                                                                                                            • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E991
                                                                                                              • Part of subcall function 0042BBB4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBC8
                                                                                                            • IsRectEmpty.USER32(?), ref: 0044E953
                                                                                                            • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E976
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 855768636-0
                                                                                                            • Opcode ID: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                                            • Instruction ID: f7bad605b8f68185b4e834990bb8ca2287257270a928060092b59a923d315d7c
                                                                                                            • Opcode Fuzzy Hash: a4575d285c62c1c56b7686ad69dfdc5ef60a631fed5d3d1fc0705a1474777ead
                                                                                                            • Instruction Fuzzy Hash: E5114A71B0030067E650BA7B8C86B5B76C9AB88748F15083FB545EB387DE7DDD094299
                                                                                                            Function 00495924 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 00495988
                                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 004959A3
                                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 004959BD
                                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 004959D8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: OffsetRect
                                                                                                            • String ID:
                                                                                                            • API String ID: 177026234-0
                                                                                                            • Opcode ID: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                                            • Instruction ID: 9409249b62c1188f54b5b62e2685c04785358b71117f53a2337039625fc08c68
                                                                                                            • Opcode Fuzzy Hash: e6cd63ab1267e2bef36e0ea42f4f89ffcc49fa5b03609306a0fb63f812f5ac90
                                                                                                            • Instruction Fuzzy Hash: 1121AEB6700701AFDB00DE69CD81E5BB7DAEFC4350F248A2AF944C3249D638ED048761
                                                                                                            Function 00417218 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCursorPos.USER32 ref: 00417260
                                                                                                            • SetCursor.USER32(00000000), ref: 004172A3
                                                                                                            • GetLastActivePopup.USER32(?), ref: 004172CD
                                                                                                            • GetForegroundWindow.USER32(?), ref: 004172D4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 1959210111-0
                                                                                                            • Opcode ID: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                                            • Instruction ID: de3f0dc6b436800086b9427ec8ddd2ec86eeedce3a35093462374e80c8eda50e
                                                                                                            • Opcode Fuzzy Hash: 0325eb73ca892009698aa7541b5e3073a06fcfb7bd7d3fb361e05756697ccdec
                                                                                                            • Instruction Fuzzy Hash: C52183313086118AD720AFA9E945AE733F1EF44754B0544ABF8558B352DB3DDC82CB9E
                                                                                                            Function 004955DC Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 004955F1
                                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495605
                                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495619
                                                                                                            • MulDiv.KERNEL32(?,00000008,?), ref: 00495637
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                            • Instruction ID: b77f8f3c6746ea581d036ce488ab013aedd37a602364075716cddbfd1b85439e
                                                                                                            • Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
                                                                                                            • Instruction Fuzzy Hash: A5112E72604504ABCB40DEA9D8C4D9B7BECEF8D324B6441AAF908DB242D674ED408B68
                                                                                                            Function 0041F480 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetClassInfoA.USER32(00400000,0041F470,?), ref: 0041F4A1
                                                                                                            • UnregisterClassA.USER32(0041F470,00400000), ref: 0041F4CA
                                                                                                            • RegisterClassA.USER32(00499598), ref: 0041F4D4
                                                                                                            • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F50F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                                            • String ID:
                                                                                                            • API String ID: 4025006896-0
                                                                                                            • Opcode ID: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                                                            • Instruction ID: 7a0dc659497f48f9aad4428a0df7724adcaf244520b53866b591a9b3b5545ee4
                                                                                                            • Opcode Fuzzy Hash: 7a514111b6068dfbbdb04c48d1a2146d17cf63cab41d43eccfd0167b2dbd8d5c
                                                                                                            • Instruction Fuzzy Hash: F6011B72240104AADA10EBACED81E9B33999729314B11423BB615E72A2D6399C558BAC
                                                                                                            Function 00454F7C Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForInputIdle.USER32(?,00000032), ref: 00454FA8
                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00454FCA
                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00454FD9
                                                                                                            • CloseHandle.KERNEL32(?,00455006,00454FFF,?,?,?,00000000,?,?,004551DB,?,?,?,00000044,00000000,00000000), ref: 00454FF9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 4071923889-0
                                                                                                            • Opcode ID: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                                            • Instruction ID: ea90b2abd28d60bbe0c33bbe6d7a83e36ef454db8471bda6b5c19e9a906557d9
                                                                                                            • Opcode Fuzzy Hash: 8aa0dd6ec5a68f6f7641eb82506f7728cd0b20fc7582fe19e2ee2bc87ac6724f
                                                                                                            • Instruction Fuzzy Hash: B9012D31A006097FEB1097AA8C02F6FBBECDF49764F610127F904D72C2C5788D409A78
                                                                                                            Function 0040D010 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D027
                                                                                                            • LoadResource.KERNEL32(00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58,0000000A,00000000), ref: 0040D041
                                                                                                            • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?,?,0047CB58), ref: 0040D05B
                                                                                                            • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A7C8,00400000,00000001,00000000,?,0040CF84,00000000,?,00000000,?), ref: 0040D065
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                            • String ID:
                                                                                                            • API String ID: 3473537107-0
                                                                                                            • Opcode ID: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                            • Instruction ID: ce77ce8360aa458f47a01e9b0563465317cd85cc21d7bcd45488e041df035c61
                                                                                                            • Opcode Fuzzy Hash: f701ce4f04cb0ebdd1143b5585c75acb70ffd029a82b31343d3be87257736b7b
                                                                                                            • Instruction Fuzzy Hash: 49F04F726056046F9B14EE59A881D5B77ECDE88268310013AF908E7286DA38DD018B68
                                                                                                            Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,022CC330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,022CC330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,022CC330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,022CC330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                            • String ID:
                                                                                                            • API String ID: 730355536-0
                                                                                                            • Opcode ID: 303ccfa916ee30606edfd417ee1dfeae8d79d4aa2781d0ec5268568314661242
                                                                                                            • Instruction ID: 91310e2de28581c92a9b529d79901d52005bdf0b1253609ef7109df0d78d257f
                                                                                                            • Opcode Fuzzy Hash: 303ccfa916ee30606edfd417ee1dfeae8d79d4aa2781d0ec5268568314661242
                                                                                                            • Instruction Fuzzy Hash: D001A1706482409EE719AB69BA467253FD4D795B48F11803BF840A6BF3C77C4440EBAD
                                                                                                            Function 004705A0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 004705F1
                                                                                                            Strings
                                                                                                            • Unsetting NTFS compression on file: %s, xrefs: 004705D7
                                                                                                            • Setting NTFS compression on file: %s, xrefs: 004705BF
                                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 00470602
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast
                                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                                            • API String ID: 1452528299-3038984924
                                                                                                            • Opcode ID: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                                            • Instruction ID: 452327faed6fd823952186a677ff1a78a18aba12ee86070aec797b5412e08bdc
                                                                                                            • Opcode Fuzzy Hash: 4a85a403c5f553919e8eb8264edf58c674aea38054a880eb2495f4adb197a451
                                                                                                            • Instruction Fuzzy Hash: A5018B71D09248A6CB04D7AD94512DDBBE49F4D314F44C5FFE459D7342DB780A088B9E
                                                                                                            Function 0046FDF4 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastError.KERNEL32(00000000,00000000), ref: 0046FE45
                                                                                                            Strings
                                                                                                            • Unsetting NTFS compression on directory: %s, xrefs: 0046FE2B
                                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 0046FE56
                                                                                                            • Setting NTFS compression on directory: %s, xrefs: 0046FE13
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast
                                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                                            • API String ID: 1452528299-1392080489
                                                                                                            • Opcode ID: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                                            • Instruction ID: 6c3eba688a3488f6cff2036d9eec8e6f632fba0cce39d579df3f4bd3b957a0ce
                                                                                                            • Opcode Fuzzy Hash: 01501a136b81c39b7c411191948b84cc59583678e1d21d505a98b8108a1a9e37
                                                                                                            • Instruction Fuzzy Hash: E5014421E0824856CB04D7ADE44129DBBA49F49304F4485BBA495E7253EB790A09879B
                                                                                                            Function 00455D9C Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000,0045B7D5), ref: 00455DD8
                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045B7AE,?,?,?,?,?,00000000), ref: 00455DE1
                                                                                                            • RemoveFontResourceA.GDI32(00000000), ref: 00455DEE
                                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00455E02
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 4283692357-0
                                                                                                            • Opcode ID: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                                            • Instruction ID: 71ccc6c4ad223293e5fa71c014565a1ca4f3f808124b73c5b0663eb55104ffd2
                                                                                                            • Opcode Fuzzy Hash: 53be27aa0997865f395f34354d63af882f7726c3d4a8d794711f16c86898bbe7
                                                                                                            • Instruction Fuzzy Hash: 57F0BEB174070036EA10B6BAAC4BF2B26CC8F54745F10883ABA00EF2C3D97CDC04962D
                                                                                                            Function 0047CD48 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$CountSleepTick
                                                                                                            • String ID:
                                                                                                            • API String ID: 2227064392-0
                                                                                                            • Opcode ID: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                                            • Instruction ID: 56d8cd0ebf6ab4a4d31aad6ab38b951dee0ff9c0bbbb70c30f4e079d31b44593
                                                                                                            • Opcode Fuzzy Hash: dfa0650b41a5fbb69b4da717be5ba207ba5450cdb50d9376c11a56b5a3797e8a
                                                                                                            • Instruction Fuzzy Hash: C6E0ED6A30921149863131AE98CA6AF4D48CBC2324B28853FE08CE6283C89C4C0A867E
                                                                                                            Function 00478204 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB,00000000), ref: 0047820D
                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8,?,?,?,?,?,00498CDB), ref: 00478213
                                                                                                            • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478235
                                                                                                            • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,004812C8), ref: 00478246
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 215268677-0
                                                                                                            • Opcode ID: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                                            • Instruction ID: 91f0679cb69370e855683a510bc75a037ced8834772831ea40795c83ba0b1c60
                                                                                                            • Opcode Fuzzy Hash: 89672e1c1dad377db11468aaf314ccfc00159a4e206af17bba33db1213e8e157
                                                                                                            • Instruction Fuzzy Hash: D8F037716447007BD600E6B58C81E5B73DCEB44354F04493E7E98C71C1DA78DC089776
                                                                                                            Function 00424240 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetLastActivePopup.USER32(?), ref: 0042424C
                                                                                                            • IsWindowVisible.USER32(?), ref: 0042425D
                                                                                                            • IsWindowEnabled.USER32(?), ref: 00424267
                                                                                                            • SetForegroundWindow.USER32(?), ref: 00424271
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                                            • String ID:
                                                                                                            • API String ID: 2280970139-0
                                                                                                            • Opcode ID: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                                            • Instruction ID: 2c5ff33fc315f6eb6fab431e1453bcb0e66c5aaaa6596e28cc8dc28fd0b03a53
                                                                                                            • Opcode Fuzzy Hash: d317456c615bf9008b67529b06aff5f9fae4f5f479d94640f2b11ca0dbd6cbb7
                                                                                                            • Instruction Fuzzy Hash: C7E0EC61B02672D6AE31FA7B2881A9F518C9D45BE434641EBBC04FB38ADB2CDC1141BD
                                                                                                            Function 0040626C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GlobalHandle.KERNEL32 ref: 0040626F
                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00406276
                                                                                                            • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040627B
                                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00406281
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Global$AllocHandleLockUnlock
                                                                                                            • String ID:
                                                                                                            • API String ID: 2167344118-0
                                                                                                            • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                            • Instruction ID: 5df08fd8dc2b017785a639aa93036e57be915985ffe03f20f856cac12e18577c
                                                                                                            • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                            • Instruction Fuzzy Hash: 0BB009C4810A01BEEC0473B24C0BE3F245CD88172C3904A6F3448BA183987C9C405A3A
                                                                                                            Function 0047A218 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047BB01,?,00000000,00000000,00000001,00000000,0047A4B5,?,00000000), ref: 0047A479
                                                                                                            Strings
                                                                                                            • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047A2ED
                                                                                                            • Failed to parse "reg" constant, xrefs: 0047A480
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Close
                                                                                                            • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                                            • API String ID: 3535843008-1938159461
                                                                                                            • Opcode ID: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                                            • Instruction ID: 25f2a786541cb687838a6194ffc4a73185deb9e5551b5ad8c851c0bf1152322b
                                                                                                            • Opcode Fuzzy Hash: 05ee6b3b67afee6859f894b9066335fb286a048b1f35c691c8bdca609618c678
                                                                                                            • Instruction Fuzzy Hash: 22817274E00108AFCB10DF95D485ADEBBF9AF88344F50817AE814B7392D739AE05CB99
                                                                                                            Function 0048358C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetForegroundWindow.USER32(00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835C5
                                                                                                            • SetActiveWindow.USER32(?,00000000,00483716,?,00000000,00483757,?,?,?,?,00000000,00000000,00000000,?,0046BD99), ref: 004835D7
                                                                                                            Strings
                                                                                                            • Will not restart Windows automatically., xrefs: 004836F6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window$ActiveForeground
                                                                                                            • String ID: Will not restart Windows automatically.
                                                                                                            • API String ID: 307657957-4169339592
                                                                                                            • Opcode ID: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                                            • Instruction ID: 4bdce942002d158aae482430f0c171f92fa141a3e9c551c877f01fd154286bbb
                                                                                                            • Opcode Fuzzy Hash: ceb5e1da4dc76295146827fa9bc1951038eb8722099578625e3d3877b71a3664
                                                                                                            • Instruction Fuzzy Hash: 7F414870648240BFD321FF68DC92B6D3BE49718B09F6448B7E440573A2E37D9A059B1D
                                                                                                            Function 004763AC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764B0
                                                                                                            • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,004764DF,?,00000000,004764F0,?,00000000,00476539), ref: 004764C4
                                                                                                            Strings
                                                                                                            • Extracting temporary file: , xrefs: 004763EC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FileTime$Local
                                                                                                            • String ID: Extracting temporary file:
                                                                                                            • API String ID: 791338737-4171118009
                                                                                                            • Opcode ID: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                                            • Instruction ID: 173659db1c42fed311bbc77dc24fc0b62308bfde4479aaaaa113f8cb774a82d8
                                                                                                            • Opcode Fuzzy Hash: a80e35328548893b295efc7472ac722154afa94c34651c27e26e6e8334cb8313
                                                                                                            • Instruction Fuzzy Hash: 9541B670E00649AFCB01DFA5C892AAFBBB9EB09704F51847AF814A7291D7789905CB58
                                                                                                            Function 0046CC0C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            • Failed to proceed to next wizard page; aborting., xrefs: 0046CD24
                                                                                                            • Failed to proceed to next wizard page; showing wizard., xrefs: 0046CD38
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                                            • API String ID: 0-1974262853
                                                                                                            • Opcode ID: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                                            • Instruction ID: bcb3787111d781b294161d03010f6e791927551fc3c7e501f8e48cd77162cd73
                                                                                                            • Opcode Fuzzy Hash: 7a25e1645a33cbe6e929f5c7beb1038c0aed19b3e354743701339651447d5c4b
                                                                                                            • Instruction Fuzzy Hash: A531C430604204DFD711EB59D9C5BA977F5EB06304F5500BBF448AB392D7786E40CB49
                                                                                                            Function 00478E98 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0042DE1C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,;H,?,00000001,?,?,00483BE3,?,00000001,00000000), ref: 0042DE38
                                                                                                            • RegCloseKey.ADVAPI32(?,00478F7E,?,?,00000001,00000000,00000000,00478F99), ref: 00478F67
                                                                                                            Strings
                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00478EF2
                                                                                                            • %s\%s_is1, xrefs: 00478F10
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseOpen
                                                                                                            • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                            • API String ID: 47109696-1598650737
                                                                                                            • Opcode ID: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                                            • Instruction ID: 4b2a563bf9abf46f4fe3d7c32e0d4fce195dfbf5fea183d3e913b06dd9c9918d
                                                                                                            • Opcode Fuzzy Hash: 4390143081fa1cbfc05a77ab89ffad6b83c856e6c2d55465ffb8b64579313e9f
                                                                                                            • Instruction Fuzzy Hash: EC218070B44244AFDB11DBA9CC45A9EBBF9EB8D704F90847BE408E7381DB789D018B58
                                                                                                            Function 00450168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 004501FD
                                                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0045022E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ExecuteMessageSendShell
                                                                                                            • String ID: open
                                                                                                            • API String ID: 812272486-2758837156
                                                                                                            • Opcode ID: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                                            • Instruction ID: 7f57506e0c07b49dd0b520b237e7736b759e9f4ed638734fb0c833ac5abbff07
                                                                                                            • Opcode Fuzzy Hash: ea446b968c091deb5619fe0c64f284e9fafe3e6cb185d1fb8701354efc215884
                                                                                                            • Instruction Fuzzy Hash: A1216074E00204AFDB10DFA9C896B9EBBF8EB44705F1081BAB404E7292D678DE45CA59
                                                                                                            Function 00455290 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ShellExecuteEx.SHELL32(0000003C), ref: 0045532C
                                                                                                            • GetLastError.KERNEL32(0000003C,00000000,00455375,?,?,?), ref: 0045533D
                                                                                                              • Part of subcall function 0042D8C4: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8D7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                                            • String ID: <
                                                                                                            • API String ID: 893404051-4251816714
                                                                                                            • Opcode ID: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                                            • Instruction ID: 92df0b2f1231c5c49ece4c570041ef31d6ed92e86db86b93cafb864a5026e18c
                                                                                                            • Opcode Fuzzy Hash: be62181711fdad770c23067a055a605ead6c89444dc6de91f0ff3b7559ccb240
                                                                                                            • Instruction Fuzzy Hash: 172167B0600609ABDB10EF65C8926AE7BE8AF44355F54403AFC44E7291D7789E49CB98
                                                                                                            Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.KERNEL32(0049B420,00000000,)), ref: 004025C7
                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0049B420,0040263D), ref: 00402630
                                                                                                              • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049B420,00000000,00401A82,?,?,0040222E,022CC330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
                                                                                                              • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049B420,0049B420,00000000,00401A82,?,?,0040222E,022CC330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
                                                                                                              • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049B420,00000000,00401A82,?,?,0040222E,022CC330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                              • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049B420,00401A89,00000000,00401A82,?,?,0040222E,022CC330,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                            • String ID: )
                                                                                                            • API String ID: 2227675388-1084416617
                                                                                                            • Opcode ID: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                                                            • Instruction ID: 77bd95ba853a3ee3b707a504883d316aad751082ca23ba06a0d8aa2ba3da16af
                                                                                                            • Opcode Fuzzy Hash: 09cf32ac568926239da630a480ec85c7fe0e44c3c7351229851fbcf18ccaddb2
                                                                                                            • Instruction Fuzzy Hash: E11104317042046FEB15AB796F5962B6AD4D795758B24087FF404F33D2DABD8C02929C
                                                                                                            Function 00496B2E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00496B69
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Window
                                                                                                            • String ID: /INITPROCWND=$%x $@
                                                                                                            • API String ID: 2353593579-4169826103
                                                                                                            • Opcode ID: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                                            • Instruction ID: 88b10d18150c6b9811cea3f3864e76c9cf3cbfb68c265b437af87b1fefc14b87
                                                                                                            • Opcode Fuzzy Hash: 065ab22c92abacbd348a857e8389b224364e1a84b4d72130b6d36c29b0d142f9
                                                                                                            • Instruction Fuzzy Hash: A3117231A042489FDF01DBA4E855BAEBFE8EB49314F51847BE504E7292EB3CA905C658
                                                                                                            Function 00447414 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                            • SysFreeString.OLEAUT32(?), ref: 004474C6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: String$AllocByteCharFreeMultiWide
                                                                                                            • String ID: NIL Interface Exception$Unknown Method
                                                                                                            • API String ID: 3952431833-1023667238
                                                                                                            • Opcode ID: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                                            • Instruction ID: eb0132878ffe7144b3db707554455947565e11d0cdd4dc78092451a8fec87e99
                                                                                                            • Opcode Fuzzy Hash: eaaa5532a95bbaa63f0b72a9291e33775e11d622c6162567185e6fee38e986d8
                                                                                                            • Instruction Fuzzy Hash: 8011B9706082089FEB10DFA58C52A6EBBBCEB09704F91407AF504F7681D77C9D01CB69
                                                                                                            Function 004963A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000,00496443), ref: 0049640E
                                                                                                            • CloseHandle.KERNEL32(004964A8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,00496468,?,0049645C,00000000), ref: 00496425
                                                                                                              • Part of subcall function 004962F8: GetLastError.KERNEL32(00000000,00496390,?,?,?,?), ref: 0049631C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseCreateErrorHandleLastProcess
                                                                                                            • String ID: 0nI
                                                                                                            • API String ID: 3798668922-794067871
                                                                                                            • Opcode ID: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                                            • Instruction ID: 4379268ebcebee96409867e54b2437a6ba0b21f89d1dc4ba20584320bf55fb87
                                                                                                            • Opcode Fuzzy Hash: 9f8f3e3bd8d813766f30c87d8e8bb38219208be6823d56de1360ae23e0f090d4
                                                                                                            • Instruction Fuzzy Hash: 840182B1644248AFDB00EBD1DC42A9EBBACDF08704F51403AB904E7281D6785E008A2D
                                                                                                            Function 0042DD64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DD78
                                                                                                            • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DDB8
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Value$EnumQuery
                                                                                                            • String ID: Inno Setup: No Icons
                                                                                                            • API String ID: 1576479698-2016326496
                                                                                                            • Opcode ID: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                                            • Instruction ID: 8d080c6700cf8453afd411d185ff7d2dd707f59376968ad674d2e7d16536e1ed
                                                                                                            • Opcode Fuzzy Hash: 36a0b08f46d91d09f38f531e186592c2a543f82488f0210131226a48688c00be
                                                                                                            • Instruction Fuzzy Hash: 1B012B33B55B7179FB3045256D01F7B57889B82B60F64013BF942EA2C0D6999C04936E
                                                                                                            Function 00452E88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetFileAttributesA.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452EC3
                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,00452EE9,?,?,-00000001,?), ref: 00452ECB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AttributesErrorFileLast
                                                                                                            • String ID: T$H
                                                                                                            • API String ID: 1799206407-488339322
                                                                                                            • Opcode ID: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                                            • Instruction ID: d2ab7b9b66ca24062e77e49c95e81f13ab46b8af1b1b2eb811bbb53637dcbd2b
                                                                                                            • Opcode Fuzzy Hash: 164a1123582fd7f8b9629d9128a54c78742dfc935cb603b92947040143095295
                                                                                                            • Instruction Fuzzy Hash: 86F0F971A04204AB8B01DB7A9D4249EB7ECEB8A32171045BBFC04E3642E7B84E048558
                                                                                                            Function 00452908 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 0045293F
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00452965,?,-00000001,?), ref: 00452947
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                            • String ID: T$H
                                                                                                            • API String ID: 2018770650-488339322
                                                                                                            • Opcode ID: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                                            • Instruction ID: a1d21d86fbcf93c7076efe682877c1f84c37cf58088428800e153654eea74c02
                                                                                                            • Opcode Fuzzy Hash: 54a576a396afaa571a066345412aacc20c83a6c328a38e41dddb38150347ef46
                                                                                                            • Instruction Fuzzy Hash: 05F0C2B2B04608ABDB01EFB59D414AEB7E8EB4E315B6045B7FC04E3742E6B85E148598
                                                                                                            Function 00452E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E47
                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00452E6D,?,-00000001,00000000), ref: 00452E4F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: DirectoryErrorLastRemove
                                                                                                            • String ID: T$H
                                                                                                            • API String ID: 377330604-488339322
                                                                                                            • Opcode ID: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                                            • Instruction ID: a8b2bafe79397aca91686f8656b478e2385adfe3b855dfce5f6cc0b9ba314abc
                                                                                                            • Opcode Fuzzy Hash: f20199e737e539a63e7b44ed2747663bd9db8366f39d7150388d1a26e91210d5
                                                                                                            • Instruction Fuzzy Hash: 70F0FC71A04708AFCF01EF759D4249EB7E8DB4E31575049B7FC14E3642E7785E048598
                                                                                                            Function 00498004 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 0047D0CC: FreeLibrary.KERNEL32(74590000,00481A2F), ref: 0047D0E2
                                                                                                              • Part of subcall function 0047CD9C: GetTickCount.KERNEL32 ref: 0047CDE6
                                                                                                              • Part of subcall function 00457294: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004572B3
                                                                                                            • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049895B), ref: 00498059
                                                                                                            • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049895B), ref: 0049805F
                                                                                                            Strings
                                                                                                            • Detected restart. Removing temporary directory., xrefs: 00498013
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                                            • String ID: Detected restart. Removing temporary directory.
                                                                                                            • API String ID: 1717587489-3199836293
                                                                                                            • Opcode ID: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                                            • Instruction ID: bb05712aa7eb36d303e19ffab6eef2c78f2a463723ea7eca767f41585c441369
                                                                                                            • Opcode Fuzzy Hash: 281135f9a0ad5b4e488772808dcd9eaa6bf3b34c39f962a9f46887a4a11e3304
                                                                                                            • Instruction Fuzzy Hash: BDE0E532208A406DDA1177BABC1396B7F5CDB46768B22487FF50882552D92D481CC53D
                                                                                                            Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00498BB6), ref: 0040334B
                                                                                                            • GetCommandLineA.KERNEL32(00000000,00498BB6), ref: 00403356
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CommandHandleLineModule
                                                                                                            • String ID: H6[
                                                                                                            • API String ID: 2123368496-4100791395
                                                                                                            • Opcode ID: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                                                            • Instruction ID: ff8fa06d391bd0b31f892a344b3e95d40f530220570fde7b1ba7fad45aeb04f1
                                                                                                            • Opcode Fuzzy Hash: 48b45b62bccbc2a8e5daf731e4078a894a727d510552ebcfe8024faf6b9ab272
                                                                                                            • Instruction Fuzzy Hash: 45C002609013058AD754AF7579467162A94D751349F80447FF114BA3E1D77C82055BDD
                                                                                                            Function 00455674 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.2921160214.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.2921125531.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921276828.0000000000499000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921310832.000000000049A000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921349915.000000000049B000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                            • Associated: 00000001.00000002.2921393296.00000000004AB000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_1_2_400000_EQ5Vcf19u8.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 1458359878-0
                                                                                                            • Opcode ID: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                                            • Instruction ID: f31041694d7e6b08a2ea33ec2b58b28b25921f40701f973673b956735a8b67d8
                                                                                                            • Opcode Fuzzy Hash: 1a9f46df8411143c40a07a37eb8806f02fdea1552ea3146ec5e635b784cd6770
                                                                                                            • Instruction Fuzzy Hash: 42F02B32705F58A78B21B56A889157FB2A8DB81366750012BFC0CD7313C878CC058BBC

                                                                                                            Execution Graph

                                                                                                            Execution Coverage:2.9%
                                                                                                            Dynamic/Decrypted Code Coverage:84.8%
                                                                                                            Signature Coverage:10.3%
                                                                                                            Total number of Nodes:965
                                                                                                            Total number of Limit Nodes:33
                                                                                                            execution_graph 60874 401ec0 LoadLibraryExA 60875 40d090 60874->60875 60876 4018c3 RegCreateKeyExA 60877 401908 RegCloseKey 60876->60877 60879 401b83 60880 401807 lstrcmpiW 60879->60880 60881 401b92 60879->60881 60880->60881 60882 40d445 60886 402940 60882->60886 60885 40d46b 60887 40294d CopyFileA 60886->60887 60887->60885 60888 40d407 60892 2b82978 60888->60892 60893 2b82981 60892->60893 60894 2b82986 60892->60894 60906 2b8917c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 60893->60906 60898 2b8299b 60894->60898 60897 40d409 Sleep 60899 2b829a7 __CRT_INIT@12 60898->60899 60901 2b82a52 __CRT_INIT@12 60899->60901 60903 2b829f5 ___DllMainCRTStartup 60899->60903 60907 2b82806 60899->60907 60901->60897 60902 2b82806 __CRT_INIT@12 138 API calls 60902->60901 60903->60901 60904 2b82806 __CRT_INIT@12 138 API calls 60903->60904 60905 2b82a2f 60903->60905 60904->60905 60905->60901 60905->60902 60906->60894 60908 2b82812 __CRT_INIT@12 60907->60908 60909 2b8281a 60908->60909 60910 2b82894 60908->60910 60955 2b86e46 GetProcessHeap 60909->60955 60912 2b828fd 60910->60912 60914 2b82898 60910->60914 60915 2b82960 60912->60915 60916 2b82902 60912->60916 60913 2b8281f 60948 2b82823 __CRT_INIT@12 60913->60948 60956 2b849f4 60913->60956 60917 2b828b9 60914->60917 60914->60948 61044 2b87009 59 API calls _doexit 60914->61044 60915->60948 61075 2b84884 59 API calls 2 library calls 60915->61075 61049 2b87d7b 60916->61049 61045 2b86ee0 61 API calls _free 60917->61045 60922 2b8290d 60922->60948 61052 2b8761a 60922->61052 60924 2b8282f __RTC_Initialize 60932 2b8283f GetCommandLineA 60924->60932 60924->60948 60925 2b828be 60927 2b828cf __CRT_INIT@12 60925->60927 61046 2b88e1a 60 API calls _free 60925->61046 61048 2b828e8 62 API calls __mtterm 60927->61048 60931 2b828ca 61047 2b84a6a 62 API calls 2 library calls 60931->61047 60977 2b89218 GetEnvironmentStringsW 60932->60977 60936 2b82936 60938 2b8293c 60936->60938 60939 2b82954 60936->60939 61059 2b84941 60938->61059 61069 2b81f74 60939->61069 60943 2b82859 60945 2b8285d 60943->60945 61009 2b88e6c 60943->61009 60944 2b82944 GetCurrentThreadId 60944->60948 61042 2b84a6a 62 API calls 2 library calls 60945->61042 60948->60903 60950 2b8287d 60950->60948 61043 2b88e1a 60 API calls _free 60950->61043 60955->60913 61076 2b870b0 36 API calls 2 library calls 60956->61076 60958 2b849f9 61077 2b875cc InitializeCriticalSectionAndSpinCount __mtinitlocks 60958->61077 60960 2b849fe 60961 2b84a02 60960->60961 61079 2b87d3e TlsAlloc 60960->61079 61078 2b84a6a 62 API calls 2 library calls 60961->61078 60964 2b84a14 60964->60961 60966 2b84a1f 60964->60966 60965 2b84a07 60965->60924 60967 2b8761a __calloc_crt 59 API calls 60966->60967 60968 2b84a2c 60967->60968 60969 2b84a61 60968->60969 61080 2b87d9a TlsSetValue 60968->61080 61081 2b84a6a 62 API calls 2 library calls 60969->61081 60972 2b84a40 60972->60969 60974 2b84a46 60972->60974 60973 2b84a66 60973->60924 60975 2b84941 __initptd 59 API calls 60974->60975 60976 2b84a4e GetCurrentThreadId 60975->60976 60976->60924 60978 2b8922b WideCharToMultiByte 60977->60978 60983 2b8284f 60977->60983 60980 2b8925e 60978->60980 60981 2b89295 FreeEnvironmentStringsW 60978->60981 61082 2b87662 59 API calls 2 library calls 60980->61082 60981->60983 60990 2b88b66 60983->60990 60984 2b89264 60984->60981 60985 2b8926b WideCharToMultiByte 60984->60985 60986 2b8928a FreeEnvironmentStringsW 60985->60986 60987 2b89281 60985->60987 60986->60983 60988 2b81f74 _free 59 API calls 60987->60988 60989 2b89287 60988->60989 60989->60986 60991 2b88b72 __CRT_INIT@12 60990->60991 61083 2b8749b 60991->61083 60993 2b88b79 60994 2b8761a __calloc_crt 59 API calls 60993->60994 60995 2b88b8a 60994->60995 60996 2b88bf5 GetStartupInfoW 60995->60996 60997 2b88b95 @_EH4_CallFilterFunc@8 __CRT_INIT@12 60995->60997 61003 2b88c0a 60996->61003 61006 2b88d39 60996->61006 60997->60943 60998 2b88e01 61092 2b88e11 RtlLeaveCriticalSection _doexit 60998->61092 61000 2b8761a __calloc_crt 59 API calls 61000->61003 61001 2b88d86 GetStdHandle 61001->61006 61002 2b88d99 GetFileType 61002->61006 61003->61000 61004 2b88c58 61003->61004 61003->61006 61005 2b88c8c GetFileType 61004->61005 61004->61006 61090 2b87dbc InitializeCriticalSectionAndSpinCount 61004->61090 61005->61004 61006->60998 61006->61001 61006->61002 61091 2b87dbc InitializeCriticalSectionAndSpinCount 61006->61091 61010 2b88e7a 61009->61010 61011 2b88e7f GetModuleFileNameA 61009->61011 61101 2b83eea 71 API calls __setmbcp 61010->61101 61013 2b88eac 61011->61013 61095 2b88f1f 61013->61095 61017 2b88ee5 61018 2b88f1f _parse_cmdline 59 API calls 61017->61018 61019 2b82869 61017->61019 61018->61019 61019->60950 61020 2b8909b 61019->61020 61021 2b890a4 61020->61021 61023 2b890a9 _strlen 61020->61023 61105 2b83eea 71 API calls __setmbcp 61021->61105 61024 2b8761a __calloc_crt 59 API calls 61023->61024 61027 2b82872 61023->61027 61032 2b890df _strlen 61024->61032 61025 2b89131 61026 2b81f74 _free 59 API calls 61025->61026 61026->61027 61027->60950 61036 2b87018 61027->61036 61028 2b8761a __calloc_crt 59 API calls 61028->61032 61029 2b89158 61031 2b81f74 _free 59 API calls 61029->61031 61031->61027 61032->61025 61032->61027 61032->61028 61032->61029 61033 2b8916f 61032->61033 61106 2b8591c 59 API calls __ungetc_nolock 61032->61106 61107 2b83b65 8 API calls 2 library calls 61033->61107 61035 2b8917b 61037 2b87024 __IsNonwritableInCurrentImage 61036->61037 61108 2b8ab7f 61037->61108 61039 2b87042 __initterm_e 61041 2b87061 __cinit __IsNonwritableInCurrentImage 61039->61041 61111 2b823a4 61039->61111 61041->60950 61042->60948 61043->60945 61044->60917 61045->60925 61046->60931 61047->60927 61048->60948 61050 2b87d8e 61049->61050 61051 2b87d92 TlsGetValue 61049->61051 61050->60922 61051->60922 61055 2b87621 61052->61055 61054 2b8291e 61054->60948 61058 2b87d9a TlsSetValue 61054->61058 61055->61054 61056 2b8763f 61055->61056 61146 2b8e9a8 61055->61146 61056->61054 61056->61055 61154 2b880b7 Sleep 61056->61154 61058->60936 61060 2b8494d __CRT_INIT@12 61059->61060 61061 2b8749b __lock 59 API calls 61060->61061 61062 2b8498a 61061->61062 61157 2b849e2 61062->61157 61065 2b8749b __lock 59 API calls 61066 2b849ab ___addlocaleref 61065->61066 61160 2b849eb 61066->61160 61068 2b849d6 __CRT_INIT@12 61068->60944 61070 2b81fa6 __dosmaperr 61069->61070 61071 2b81f7d HeapFree 61069->61071 61070->60948 61071->61070 61072 2b81f92 61071->61072 61165 2b84abb 59 API calls __getptd_noexit 61072->61165 61074 2b81f98 GetLastError 61074->61070 61075->60948 61076->60958 61077->60960 61078->60965 61079->60964 61080->60972 61081->60973 61082->60984 61084 2b874ac 61083->61084 61085 2b874bf RtlEnterCriticalSection 61083->61085 61093 2b87523 59 API calls 10 library calls 61084->61093 61085->60993 61087 2b874b2 61087->61085 61094 2b86fed 59 API calls 3 library calls 61087->61094 61090->61004 61091->61006 61092->60997 61093->61087 61097 2b88f41 61095->61097 61100 2b88fa5 61097->61100 61103 2b8ef86 59 API calls x_ismbbtype_l 61097->61103 61098 2b88ec2 61098->61019 61102 2b87662 59 API calls 2 library calls 61098->61102 61100->61098 61104 2b8ef86 59 API calls x_ismbbtype_l 61100->61104 61101->61011 61102->61017 61103->61097 61104->61100 61105->61023 61106->61032 61107->61035 61109 2b8ab82 RtlEncodePointer 61108->61109 61109->61109 61110 2b8ab9c 61109->61110 61110->61039 61114 2b822a8 61111->61114 61113 2b823af 61113->61041 61115 2b822b4 __CRT_INIT@12 61114->61115 61122 2b87140 61115->61122 61121 2b822db __CRT_INIT@12 61121->61113 61123 2b8749b __lock 59 API calls 61122->61123 61124 2b822bd 61123->61124 61125 2b822ec RtlDecodePointer RtlDecodePointer 61124->61125 61126 2b82319 61125->61126 61127 2b822c9 61125->61127 61126->61127 61139 2b87d0d 60 API calls __ungetc_nolock 61126->61139 61136 2b822e6 61127->61136 61129 2b8237c RtlEncodePointer RtlEncodePointer 61129->61127 61130 2b8232b 61130->61129 61131 2b82350 61130->61131 61140 2b876a9 62 API calls 2 library calls 61130->61140 61131->61127 61134 2b8236a RtlEncodePointer 61131->61134 61141 2b876a9 62 API calls 2 library calls 61131->61141 61134->61129 61135 2b82364 61135->61127 61135->61134 61142 2b87149 61136->61142 61139->61130 61140->61131 61141->61135 61145 2b87605 RtlLeaveCriticalSection 61142->61145 61144 2b822eb 61144->61121 61145->61144 61147 2b8e9b3 61146->61147 61152 2b8e9ce 61146->61152 61148 2b8e9bf 61147->61148 61147->61152 61155 2b84abb 59 API calls __getptd_noexit 61148->61155 61149 2b8e9de RtlAllocateHeap 61151 2b8e9c4 61149->61151 61149->61152 61151->61055 61152->61149 61152->61151 61156 2b86e63 RtlDecodePointer 61152->61156 61154->61056 61155->61151 61156->61152 61163 2b87605 RtlLeaveCriticalSection 61157->61163 61159 2b849a4 61159->61065 61164 2b87605 RtlLeaveCriticalSection 61160->61164 61162 2b849f2 61162->61068 61163->61159 61164->61162 61165->61074 61169 2baf8f2 61170 2baf8ff 61169->61170 61171 2baf8ac 61169->61171 61175 2b7e8a2 CreateFileA 61170->61175 61172 2bb1baf 61174 2b7e8a2 64 API calls 61172->61174 61174->61172 61176 2b7e99e 61175->61176 61178 2b7e8d3 61175->61178 61176->61172 61177 2b7e8eb DeviceIoControl 61177->61178 61178->61177 61179 2b7e994 CloseHandle 61178->61179 61180 2b7e960 GetLastError 61178->61180 61182 2b827b5 61178->61182 61179->61176 61180->61178 61180->61179 61186 2b827bd 61182->61186 61184 2b827d7 61184->61178 61186->61184 61187 2b827db std::exception::exception 61186->61187 61190 2b81fac 61186->61190 61207 2b86e63 RtlDecodePointer 61186->61207 61208 2b831ba RaiseException 61187->61208 61189 2b82805 61191 2b82027 61190->61191 61195 2b81fb8 61190->61195 61215 2b86e63 RtlDecodePointer 61191->61215 61193 2b8202d 61216 2b84abb 59 API calls __getptd_noexit 61193->61216 61198 2b81fc3 61195->61198 61199 2b81feb RtlAllocateHeap 61195->61199 61201 2b82013 61195->61201 61205 2b82011 61195->61205 61212 2b86e63 RtlDecodePointer 61195->61212 61197 2b8201f 61197->61186 61198->61195 61209 2b87281 59 API calls 2 library calls 61198->61209 61210 2b872de 59 API calls 8 library calls 61198->61210 61211 2b86eca GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 61198->61211 61199->61195 61199->61197 61213 2b84abb 59 API calls __getptd_noexit 61201->61213 61214 2b84abb 59 API calls __getptd_noexit 61205->61214 61207->61186 61208->61189 61209->61198 61210->61198 61212->61195 61213->61205 61214->61197 61215->61193 61216->61197 61217 2c0ae8a 61218 2c0be9e SHGetSpecialFolderPathA 61217->61218 61219 2c0bea9 61218->61219 61220 2b7e9a6 LoadLibraryA 61221 2b7e9cf GetProcAddress 61220->61221 61222 2b7ea89 61220->61222 61223 2b7ea82 FreeLibrary 61221->61223 61226 2b7e9e3 61221->61226 61223->61222 61224 2b7e9f5 GetAdaptersInfo 61224->61226 61225 2b7ea7d 61225->61223 61226->61224 61226->61225 61227 2b827b5 _Allocate 60 API calls 61226->61227 61227->61226 61228 40d0d3 61231 401649 61228->61231 61232 401d22 VirtualAlloc 61231->61232 61234 401f20 61237 401301 FindResourceA 61234->61237 61236 401f2f 61236->61236 61238 401367 SizeofResource 61237->61238 61243 401360 61237->61243 61239 401386 LoadResource LockResource GlobalAlloc 61238->61239 61238->61243 61240 4013cc 61239->61240 61241 40141f GetTickCount 61240->61241 61244 40142a GlobalAlloc 61241->61244 61243->61236 61244->61243 61245 402a20 GetVersion 61270 403b64 HeapCreate 61245->61270 61247 402a7f 61248 402a84 61247->61248 61249 402a8c 61247->61249 61348 402b3b 8 API calls 61248->61348 61282 403844 61249->61282 61253 402a94 GetCommandLineA 61296 403712 61253->61296 61257 402aae 61328 40340c 61257->61328 61259 402ab3 61260 402ab8 GetStartupInfoA 61259->61260 61341 4033b4 61260->61341 61262 402aca GetModuleHandleA 61345 401f06 61262->61345 61271 403b84 61270->61271 61272 403bba 61270->61272 61349 403a1c 19 API calls 61271->61349 61272->61247 61274 403b89 61275 403b93 61274->61275 61277 403ba0 61274->61277 61350 403f3b HeapAlloc 61275->61350 61278 403bbd 61277->61278 61351 40478c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 61277->61351 61278->61247 61279 403b9d 61279->61278 61281 403bae HeapDestroy 61279->61281 61281->61272 61352 402b5f 61282->61352 61285 403863 GetStartupInfoA 61292 403974 61285->61292 61295 4038af 61285->61295 61288 40399b GetStdHandle 61291 4039a9 GetFileType 61288->61291 61288->61292 61289 4039db SetHandleCount 61289->61253 61290 402b5f 12 API calls 61290->61295 61291->61292 61292->61288 61292->61289 61293 403920 61293->61292 61294 403942 GetFileType 61293->61294 61294->61293 61295->61290 61295->61292 61295->61293 61297 403760 61296->61297 61298 40372d GetEnvironmentStringsW 61296->61298 61300 403735 61297->61300 61301 403751 61297->61301 61299 403741 GetEnvironmentStrings 61298->61299 61298->61300 61299->61301 61302 402aa4 61299->61302 61303 403779 WideCharToMultiByte 61300->61303 61304 40376d GetEnvironmentStringsW 61300->61304 61301->61302 61305 4037f3 GetEnvironmentStrings 61301->61305 61306 4037ff 61301->61306 61319 4034c5 61302->61319 61308 4037ad 61303->61308 61309 4037df FreeEnvironmentStringsW 61303->61309 61304->61302 61304->61303 61305->61302 61305->61306 61310 402b5f 12 API calls 61306->61310 61311 402b5f 12 API calls 61308->61311 61309->61302 61315 40381a 61310->61315 61312 4037b3 61311->61312 61312->61309 61313 4037bc WideCharToMultiByte 61312->61313 61316 4037d6 61313->61316 61317 4037cd 61313->61317 61314 403830 FreeEnvironmentStringsA 61314->61302 61315->61314 61316->61309 61361 402c11 61317->61361 61320 4034d7 61319->61320 61321 4034dc GetModuleFileNameA 61319->61321 61374 405d24 19 API calls 61320->61374 61323 4034ff 61321->61323 61324 402b5f 12 API calls 61323->61324 61325 403520 61324->61325 61327 403530 61325->61327 61375 402b16 7 API calls 61325->61375 61327->61257 61329 403419 61328->61329 61331 40341e 61328->61331 61376 405d24 19 API calls 61329->61376 61332 402b5f 12 API calls 61331->61332 61333 40344b 61332->61333 61340 40345f 61333->61340 61377 402b16 7 API calls 61333->61377 61335 4034a2 61336 402c11 7 API calls 61335->61336 61337 4034ae 61336->61337 61337->61259 61338 402b5f 12 API calls 61338->61340 61340->61335 61340->61338 61378 402b16 7 API calls 61340->61378 61342 4033bd 61341->61342 61344 4033c2 61341->61344 61379 405d24 19 API calls 61342->61379 61344->61262 61346 4020e5 GetModuleHandleA 61345->61346 61349->61274 61350->61279 61351->61279 61356 402b71 61352->61356 61355 402b16 7 API calls 61355->61285 61357 402b6e 61356->61357 61359 402b78 61356->61359 61357->61285 61357->61355 61359->61357 61360 402b9d 12 API calls 61359->61360 61360->61359 61362 402c1d 61361->61362 61371 402c39 61361->61371 61363 402c27 61362->61363 61364 402c3d 61362->61364 61366 402c69 HeapFree 61363->61366 61367 402c33 61363->61367 61365 402c68 61364->61365 61369 402c57 61364->61369 61365->61366 61366->61371 61372 403fae VirtualFree VirtualFree HeapFree 61367->61372 61373 404a3f VirtualFree HeapFree VirtualFree 61369->61373 61371->61316 61372->61371 61373->61371 61374->61321 61375->61327 61376->61331 61377->61340 61378->61340 61379->61344 61380 2bbe59a 61381 2be255e 61380->61381 61387 2baf21d WriteFile 61381->61387 61390 2bb0010 61381->61390 61388 2bbfda9 CloseHandle 61387->61388 61391 2bbfda9 CloseHandle 61390->61391 61393 40d5a3 OpenSCManagerA 61394 401da5 61395 401daa 61394->61395 61397 401dac 61394->61397 61396 401d95 RegOpenKeyExA 61395->61396 61395->61397 61398 401f4e SetEvent 61397->61398 61400 401dcb 61397->61400 61398->61400 61401 40d5e6 CopyFileA 61402 40d5ec 61401->61402 61403 401ce6 61404 40d0b6 Sleep 61403->61404 61405 40d727 61406 40e060 RegQueryValueExA 61405->61406 61407 2b75e59 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 61478 2b742c7 61407->61478 61409 2b75ec6 GetTickCount 61410 2b759f4 59 API calls 61409->61410 61411 2b75ee3 GetVersionExA 61410->61411 61412 2b75f24 __cftof2_l 61411->61412 61413 2b81fac _malloc 59 API calls 61412->61413 61414 2b75f31 61413->61414 61415 2b81fac _malloc 59 API calls 61414->61415 61416 2b75f41 61415->61416 61417 2b81fac _malloc 59 API calls 61416->61417 61418 2b75f4c 61417->61418 61419 2b81fac _malloc 59 API calls 61418->61419 61420 2b75f57 61419->61420 61421 2b81fac _malloc 59 API calls 61420->61421 61422 2b75f62 61421->61422 61423 2b81fac _malloc 59 API calls 61422->61423 61424 2b75f6d 61423->61424 61425 2b81fac _malloc 59 API calls 61424->61425 61426 2b75f78 61425->61426 61427 2b81fac _malloc 59 API calls 61426->61427 61428 2b75f84 6 API calls 61427->61428 61429 2b75fd1 __cftof2_l 61428->61429 61430 2b75fea RtlEnterCriticalSection RtlLeaveCriticalSection 61429->61430 61431 2b81fac _malloc 59 API calls 61430->61431 61432 2b76026 61431->61432 61433 2b81fac _malloc 59 API calls 61432->61433 61434 2b76034 61433->61434 61435 2b81fac _malloc 59 API calls 61434->61435 61436 2b7603b 61435->61436 61437 2b81fac _malloc 59 API calls 61436->61437 61438 2b7605c QueryPerformanceCounter Sleep 61437->61438 61439 2b81fac _malloc 59 API calls 61438->61439 61440 2b76082 61439->61440 61441 2b81fac _malloc 59 API calls 61440->61441 61470 2b76092 __cftof2_l 61441->61470 61442 2b76105 RtlEnterCriticalSection RtlLeaveCriticalSection 61442->61470 61443 2b760ff Sleep 61443->61442 61444 2b7635a 61445 2b76499 RtlEnterCriticalSection RtlLeaveCriticalSection 61446 2b8133c 66 API calls 61445->61446 61446->61470 61447 2b8133c 66 API calls 61447->61470 61448 2b81fac _malloc 59 API calls 61449 2b7653b RtlEnterCriticalSection RtlLeaveCriticalSection 61448->61449 61449->61470 61450 2b767f2 RtlEnterCriticalSection RtlLeaveCriticalSection 61450->61470 61451 2b75c0c 59 API calls 61451->61470 61452 2b81418 _sprintf 79 API calls 61452->61470 61453 2b71ba7 210 API calls 61453->61470 61454 2b76957 RtlEnterCriticalSection 61455 2b76984 RtlLeaveCriticalSection 61454->61455 61454->61470 61457 2b73c67 72 API calls 61455->61457 61456 2b81fac _malloc 59 API calls 61456->61470 61457->61470 61458 2b73d7e 64 API calls 61458->61470 61459 2b77336 89 API calls 61459->61470 61460 2b79721 73 API calls 61460->61470 61461 2b77fff 88 API calls 61461->61470 61462 2b81f74 _free 59 API calls 61462->61470 61463 2b773e5 71 API calls 61463->61470 61464 2b827b5 _Allocate 60 API calls 61464->61470 61465 2b81850 _swscanf 59 API calls 61465->61470 61466 2b733b2 86 API calls 61466->61470 61467 2b78733 212 API calls 61467->61470 61468 2b7984b 60 API calls 61468->61470 61469 2b825e6 65 API calls _strtok 61469->61470 61470->61442 61470->61443 61470->61444 61470->61445 61470->61447 61470->61448 61470->61450 61470->61451 61470->61452 61470->61453 61470->61454 61470->61455 61470->61456 61470->61458 61470->61459 61470->61460 61470->61461 61470->61462 61470->61463 61470->61464 61470->61465 61470->61466 61470->61467 61470->61468 61470->61469 61470->61470 61471 2b75119 103 API calls 61470->61471 61472 2b7c113 73 API calls 61470->61472 61473 2b79c0b 210 API calls 61470->61473 61474 2b7676f Sleep 61470->61474 61476 2b7676a shared_ptr 61470->61476 61471->61470 61472->61470 61473->61470 61475 2b808f0 GetProcessHeap HeapFree 61474->61475 61475->61476 61476->61470 61476->61474 61477 2b74100 GetProcessHeap HeapFree 61476->61477 61477->61476 61479 4019b4 61480 40d0a1 CreateDirectoryA 61479->61480 61481 40da2f 61480->61481 61482 2b76bc2 61485 2b76bd3 61482->61485 61508 2b760eb __cftof2_l 61482->61508 61483 2b76105 RtlEnterCriticalSection RtlLeaveCriticalSection 61483->61508 61484 2b760ff Sleep 61484->61483 61486 2b7635a 61487 2b76499 RtlEnterCriticalSection RtlLeaveCriticalSection 61520 2b8133c 61487->61520 61489 2b8133c 66 API calls 61489->61508 61490 2b81fac _malloc 59 API calls 61491 2b7653b RtlEnterCriticalSection RtlLeaveCriticalSection 61490->61491 61491->61508 61492 2b767f2 RtlEnterCriticalSection RtlLeaveCriticalSection 61492->61508 61496 2b76957 RtlEnterCriticalSection 61497 2b76984 RtlLeaveCriticalSection 61496->61497 61496->61508 61594 2b73c67 61497->61594 61498 2b81fac _malloc 59 API calls 61498->61508 61503 2b81f74 _free 59 API calls 61503->61508 61504 2b825e6 65 API calls _strtok 61504->61508 61506 2b827b5 _Allocate 60 API calls 61506->61508 61508->61483 61508->61484 61508->61486 61508->61487 61508->61489 61508->61490 61508->61492 61508->61496 61508->61497 61508->61498 61508->61503 61508->61504 61508->61506 61510 2b79721 73 API calls 61508->61510 61516 2b7676f Sleep 61508->61516 61518 2b7676a shared_ptr 61508->61518 61530 2b7984b 61508->61530 61534 2b75119 61508->61534 61563 2b79c0b 61508->61563 61573 2b75c0c 61508->61573 61576 2b81418 61508->61576 61585 2b71ba7 61508->61585 61601 2b73d7e 61508->61601 61608 2b77336 61508->61608 61614 2b7c113 61508->61614 61619 2b773e5 61508->61619 61627 2b81850 59 API calls _vscan_fn 61508->61627 61628 2b78733 212 API calls __EH_prolog 61508->61628 61631 2b733b2 86 API calls 61508->61631 61632 2b77fff 88 API calls __EH_prolog 61508->61632 61510->61508 61629 2b808f0 GetProcessHeap HeapFree 61516->61629 61518->61508 61518->61516 61630 2b74100 GetProcessHeap HeapFree 61518->61630 61521 2b81348 61520->61521 61522 2b8136b 61520->61522 61521->61522 61524 2b8134e 61521->61524 61635 2b81383 66 API calls 4 library calls 61522->61635 61633 2b84abb 59 API calls __getptd_noexit 61524->61633 61525 2b8137e 61525->61508 61527 2b81353 61634 2b83b55 9 API calls __ungetc_nolock 61527->61634 61529 2b8135e 61529->61508 61531 2b79855 __EH_prolog 61530->61531 61636 2b7cfff 61531->61636 61533 2b79873 shared_ptr 61533->61508 61535 2b75123 __EH_prolog 61534->61535 61640 2b7fb10 61535->61640 61538 2b73c67 72 API calls 61539 2b7514a 61538->61539 61540 2b73d7e 64 API calls 61539->61540 61541 2b75158 61540->61541 61542 2b77336 89 API calls 61541->61542 61543 2b7516c 61542->61543 61544 2b75322 shared_ptr 61543->61544 61644 2b79721 61543->61644 61544->61508 61547 2b751f6 61549 2b79721 73 API calls 61547->61549 61548 2b751c4 61550 2b79721 73 API calls 61548->61550 61551 2b75207 61549->61551 61552 2b751d4 61550->61552 61551->61544 61553 2b79721 73 API calls 61551->61553 61552->61544 61555 2b79721 73 API calls 61552->61555 61554 2b7524a 61553->61554 61554->61544 61557 2b79721 73 API calls 61554->61557 61556 2b752b4 61555->61556 61556->61544 61558 2b79721 73 API calls 61556->61558 61557->61552 61559 2b752da 61558->61559 61559->61544 61560 2b79721 73 API calls 61559->61560 61561 2b75304 61560->61561 61649 2b7bed5 61561->61649 61564 2b79c15 __EH_prolog 61563->61564 61697 2b7c0ea 72 API calls 61564->61697 61566 2b79c36 shared_ptr 61698 2b810f0 61566->61698 61568 2b79c63 61568->61508 61569 2b79c4d 61569->61568 61704 2b73fb0 68 API calls Mailbox 61569->61704 61571 2b79c59 61705 2b79687 60 API calls 4 library calls 61571->61705 61574 2b81fac _malloc 59 API calls 61573->61574 61575 2b75c1f 61574->61575 61577 2b81449 61576->61577 61578 2b81434 61576->61578 61577->61578 61582 2b81450 61577->61582 61940 2b84abb 59 API calls __getptd_noexit 61578->61940 61580 2b81439 61941 2b83b55 9 API calls __ungetc_nolock 61580->61941 61583 2b81444 61582->61583 61942 2b84b61 79 API calls 7 library calls 61582->61942 61583->61508 61943 2b92a00 61585->61943 61587 2b71bb1 RtlEnterCriticalSection 61588 2b71be9 RtlLeaveCriticalSection 61587->61588 61592 2b71bd1 61587->61592 61944 2b7d32f 61588->61944 61590 2b71c22 61591 2b71c55 RtlLeaveCriticalSection 61590->61591 61591->61508 61592->61588 61592->61591 61595 2b7fb10 Mailbox 68 API calls 61594->61595 61596 2b73c7e 61595->61596 62007 2b73ca2 61596->62007 61602 2b73dcb htons 61601->61602 61603 2b73d99 htons 61601->61603 62037 2b73c16 60 API calls 2 library calls 61602->62037 62036 2b73bd3 60 API calls 2 library calls 61603->62036 61606 2b73db7 htonl htonl 61607 2b73ded 61606->61607 61607->61508 61609 2b7734e 61608->61609 61610 2b7736f 61608->61610 62038 2b785f9 61609->62038 61613 2b77394 61610->61613 62041 2b72ac7 61610->62041 61613->61508 61615 2b7fb10 Mailbox 68 API calls 61614->61615 61617 2b7c129 61615->61617 61616 2b7c217 61616->61508 61617->61616 61618 2b72db5 73 API calls 61617->61618 61618->61617 61620 2b77400 WSASetLastError shutdown 61619->61620 61621 2b773f0 61619->61621 61623 2b79505 69 API calls 61620->61623 61622 2b7fb10 Mailbox 68 API calls 61621->61622 61624 2b773f5 61622->61624 61625 2b7741d 61623->61625 61624->61508 61625->61624 61626 2b7fb10 Mailbox 68 API calls 61625->61626 61626->61624 61627->61508 61628->61508 61629->61518 61630->61518 61631->61508 61632->61508 61633->61527 61634->61529 61635->61525 61637 2b7d009 __EH_prolog 61636->61637 61638 2b827b5 _Allocate 60 API calls 61637->61638 61639 2b7d020 61638->61639 61639->61533 61641 2b7fb39 61640->61641 61643 2b7513d 61640->61643 61642 2b823a4 __cinit 68 API calls 61641->61642 61642->61643 61643->61538 61645 2b7fb10 Mailbox 68 API calls 61644->61645 61647 2b7973b 61645->61647 61646 2b7519d 61646->61544 61646->61547 61646->61548 61647->61646 61654 2b72db5 61647->61654 61650 2b7fb10 Mailbox 68 API calls 61649->61650 61653 2b7beef 61650->61653 61651 2b7bffe 61651->61544 61653->61651 61681 2b72b95 61653->61681 61655 2b72de4 61654->61655 61656 2b72dca 61654->61656 61657 2b72dfc 61655->61657 61659 2b72def 61655->61659 61658 2b7fb10 Mailbox 68 API calls 61656->61658 61668 2b72d39 WSASetLastError WSASend 61657->61668 61662 2b72dcf 61658->61662 61661 2b7fb10 Mailbox 68 API calls 61659->61661 61661->61662 61662->61647 61663 2b72e54 WSASetLastError select 61678 2b79505 61663->61678 61665 2b7fb10 68 API calls Mailbox 61666 2b72e0c 61665->61666 61666->61662 61666->61663 61666->61665 61667 2b72d39 71 API calls 61666->61667 61667->61666 61669 2b79505 69 API calls 61668->61669 61670 2b72d6e 61669->61670 61671 2b72d75 61670->61671 61672 2b72d82 61670->61672 61673 2b7fb10 Mailbox 68 API calls 61671->61673 61674 2b72d7a 61672->61674 61675 2b7fb10 Mailbox 68 API calls 61672->61675 61673->61674 61676 2b72d9c 61674->61676 61677 2b7fb10 Mailbox 68 API calls 61674->61677 61675->61674 61676->61666 61677->61676 61679 2b7fb10 Mailbox 68 API calls 61678->61679 61680 2b79511 WSAGetLastError 61679->61680 61680->61666 61682 2b72bb1 61681->61682 61684 2b72bc7 61681->61684 61683 2b7fb10 Mailbox 68 API calls 61682->61683 61689 2b72bb6 61683->61689 61686 2b72bd2 61684->61686 61695 2b72bdf 61684->61695 61685 2b72be2 WSASetLastError WSARecv 61687 2b79505 69 API calls 61685->61687 61688 2b7fb10 Mailbox 68 API calls 61686->61688 61687->61695 61688->61689 61689->61653 61690 2b7fb10 68 API calls Mailbox 61690->61695 61691 2b72d22 61696 2b71996 68 API calls __cinit 61691->61696 61693 2b72cbc WSASetLastError select 61694 2b79505 69 API calls 61693->61694 61694->61695 61695->61685 61695->61689 61695->61690 61695->61691 61695->61693 61696->61689 61697->61566 61706 2b823b9 61698->61706 61701 2b81114 61701->61569 61702 2b8113d ResumeThread 61702->61569 61703 2b81136 CloseHandle 61703->61702 61704->61571 61707 2b823db 61706->61707 61708 2b823c7 61706->61708 61710 2b8761a __calloc_crt 59 API calls 61707->61710 61730 2b84abb 59 API calls __getptd_noexit 61708->61730 61712 2b823e8 61710->61712 61711 2b823cc 61731 2b83b55 9 API calls __ungetc_nolock 61711->61731 61714 2b82439 61712->61714 61725 2b848ba 61712->61725 61715 2b81f74 _free 59 API calls 61714->61715 61717 2b8243f 61715->61717 61719 2b8110b 61717->61719 61732 2b84a9a 59 API calls 2 library calls 61717->61732 61719->61701 61719->61702 61719->61703 61720 2b84941 __initptd 59 API calls 61722 2b823fe CreateThread 61720->61722 61722->61719 61724 2b82431 GetLastError 61722->61724 61749 2b82519 61722->61749 61724->61714 61733 2b848d2 GetLastError 61725->61733 61727 2b848c0 61728 2b823f5 61727->61728 61747 2b86fed 59 API calls 3 library calls 61727->61747 61728->61720 61730->61711 61731->61719 61732->61719 61734 2b87d7b __CRT_INIT@12 TlsGetValue 61733->61734 61735 2b848e7 61734->61735 61736 2b84935 SetLastError 61735->61736 61737 2b8761a __calloc_crt 56 API calls 61735->61737 61736->61727 61738 2b848fa 61737->61738 61738->61736 61748 2b87d9a TlsSetValue 61738->61748 61740 2b8490e 61741 2b8492c 61740->61741 61742 2b84914 61740->61742 61744 2b81f74 _free 56 API calls 61741->61744 61743 2b84941 __initptd 56 API calls 61742->61743 61745 2b8491c GetCurrentThreadId 61743->61745 61746 2b84932 61744->61746 61745->61736 61746->61736 61748->61740 61750 2b82522 __threadstartex@4 61749->61750 61751 2b87d7b __CRT_INIT@12 TlsGetValue 61750->61751 61752 2b82528 61751->61752 61753 2b8255b 61752->61753 61754 2b8252f __threadstartex@4 61752->61754 61782 2b8474f 59 API calls 6 library calls 61753->61782 61781 2b87d9a TlsSetValue 61754->61781 61757 2b8253e 61759 2b82551 GetCurrentThreadId 61757->61759 61760 2b82544 GetLastError RtlExitUserThread 61757->61760 61758 2b82576 ___crtIsPackagedApp 61763 2b8258a 61758->61763 61765 2b824c1 61758->61765 61759->61758 61760->61759 61771 2b82452 61763->61771 61766 2b824ca LoadLibraryExW GetProcAddress 61765->61766 61767 2b82503 RtlDecodePointer 61765->61767 61768 2b824ec 61766->61768 61769 2b824ed RtlEncodePointer 61766->61769 61770 2b82513 61767->61770 61768->61763 61769->61767 61770->61763 61772 2b8245e __CRT_INIT@12 61771->61772 61773 2b848ba FindHandler 59 API calls 61772->61773 61774 2b82463 61773->61774 61783 2b81160 61774->61783 61777 2b82473 61778 2b87944 __XcptFilter 59 API calls 61777->61778 61779 2b82484 61778->61779 61781->61757 61782->61758 61801 2b80610 61783->61801 61786 2b811a8 TlsSetValue 61787 2b811b0 61786->61787 61823 2b7cdb0 61787->61823 61792 2b82493 61793 2b848d2 __getptd_noexit 59 API calls 61792->61793 61794 2b8249c 61793->61794 61795 2b824b7 RtlExitUserThread 61794->61795 61796 2b824ab 61794->61796 61797 2b824b0 61794->61797 61938 2b82596 LoadLibraryExW GetProcAddress RtlEncodePointer RtlDecodePointer 61796->61938 61939 2b84884 59 API calls 2 library calls 61797->61939 61800 2b824b6 61800->61795 61802 2b80674 61801->61802 61803 2b806f0 61802->61803 61804 2b8068c 61802->61804 61809 2b8079c WaitForSingleObject 61802->61809 61818 2b80770 CreateEventA 61802->61818 61821 2b8078e CloseHandle 61802->61821 61848 2b80c10 GetCurrentProcessId 61802->61848 61805 2b80706 61803->61805 61807 2b80703 CloseHandle 61803->61807 61806 2b806ce ResetEvent 61804->61806 61810 2b806a5 OpenEventA 61804->61810 61846 2b80c10 GetCurrentProcessId 61804->61846 61839 2b831ab 61805->61839 61812 2b806d5 61806->61812 61807->61805 61809->61802 61814 2b806bf 61810->61814 61815 2b806c7 61810->61815 61811 2b8071e 61811->61786 61811->61787 61847 2b80850 CreateEventA CloseHandle SetEvent GetCurrentProcessId 61812->61847 61814->61815 61817 2b806c4 CloseHandle 61814->61817 61815->61806 61815->61812 61816 2b806a2 61816->61810 61817->61815 61818->61802 61821->61802 61822 2b806ed 61822->61803 61824 2b7cdd2 61823->61824 61850 2b74d86 61824->61850 61825 2b7cdd5 61827 2b80f30 61825->61827 61828 2b80f69 TlsGetValue 61827->61828 61837 2b80f61 Mailbox 61827->61837 61828->61837 61829 2b80fdd 61830 2b81006 61829->61830 61834 2b80ffe GetProcessHeap HeapFree 61829->61834 61830->61792 61831 2b80fb9 61832 2b80610 17 API calls 61831->61832 61835 2b80fc8 61832->61835 61833 2b81049 GetProcessHeap HeapFree 61833->61837 61834->61830 61835->61829 61836 2b80fd5 TlsSetValue 61835->61836 61836->61829 61837->61829 61837->61831 61837->61833 61838 2b8103b GetProcessHeap HeapFree 61837->61838 61838->61833 61840 2b831b3 61839->61840 61841 2b831b5 IsProcessorFeaturePresent 61839->61841 61840->61811 61843 2b88141 61841->61843 61849 2b880f0 5 API calls 2 library calls 61843->61849 61845 2b88224 61845->61811 61846->61816 61847->61822 61848->61802 61849->61845 61851 2b74d90 __EH_prolog 61850->61851 61852 2b7fb10 Mailbox 68 API calls 61851->61852 61853 2b74da6 RtlEnterCriticalSection RtlLeaveCriticalSection 61852->61853 61854 2b750d4 shared_ptr 61853->61854 61867 2b74dd1 std::bad_exception::bad_exception 61853->61867 61854->61825 61856 2b750a1 RtlEnterCriticalSection RtlLeaveCriticalSection 61857 2b750b3 RtlEnterCriticalSection RtlLeaveCriticalSection 61856->61857 61857->61854 61857->61867 61858 2b7bed5 73 API calls 61858->61867 61859 2b79721 73 API calls 61859->61867 61861 2b74e8d RtlEnterCriticalSection RtlLeaveCriticalSection 61862 2b74e9f RtlEnterCriticalSection RtlLeaveCriticalSection 61861->61862 61862->61867 61867->61856 61867->61857 61867->61858 61867->61859 61867->61861 61867->61862 61870 2b74bed 61867->61870 61894 2b76d1f 60 API calls 61867->61894 61895 2b7c007 60 API calls 2 library calls 61867->61895 61896 2b76cf9 60 API calls std::bad_exception::bad_exception 61867->61896 61897 2b799ae 60 API calls 2 library calls 61867->61897 61898 2b79a86 210 API calls 3 library calls 61867->61898 61899 2b808f0 GetProcessHeap HeapFree 61867->61899 61900 2b74100 GetProcessHeap HeapFree 61867->61900 61871 2b74bf7 __EH_prolog 61870->61871 61872 2b71ba7 209 API calls 61871->61872 61873 2b74c31 61872->61873 61901 2b73a94 61873->61901 61875 2b74c3c 61876 2b73a94 60 API calls 61875->61876 61877 2b74c56 61876->61877 61904 2b775cd 61877->61904 61882 2b7fb10 Mailbox 68 API calls 61883 2b74cb8 61882->61883 61929 2b7b28c 61883->61929 61885 2b74ce1 InterlockedExchange 61933 2b72995 95 API calls Mailbox 61885->61933 61887 2b74d3c 61937 2b77616 75 API calls 2 library calls 61887->61937 61891 2b74d57 shared_ptr 61891->61867 61892 2b74d06 61892->61887 61934 2b77589 76 API calls Mailbox 61892->61934 61935 2b772f3 82 API calls Mailbox 61892->61935 61936 2b72995 95 API calls Mailbox 61892->61936 61894->61867 61895->61867 61896->61867 61897->61867 61898->61867 61899->61867 61900->61867 61902 2b739ee 60 API calls 61901->61902 61903 2b73ab5 61902->61903 61903->61875 61905 2b7fb10 Mailbox 68 API calls 61904->61905 61906 2b775e3 61905->61906 61907 2b78a1d 77 API calls 61906->61907 61908 2b775fd 61907->61908 61909 2b71712 60 API calls 61908->61909 61910 2b74c8b 61909->61910 61911 2b7d0f7 61910->61911 61912 2b7d101 __EH_prolog 61911->61912 61913 2b71a01 61 API calls 61912->61913 61914 2b7d118 61913->61914 61915 2b7d155 InterlockedExchangeAdd 61914->61915 61916 2b7fb10 Mailbox 68 API calls 61914->61916 61918 2b7d185 61915->61918 61919 2b7d190 RtlEnterCriticalSection 61915->61919 61916->61915 61920 2b71ec7 InterlockedIncrement PostQueuedCompletionStatus RtlEnterCriticalSection InterlockedExchange RtlLeaveCriticalSection 61918->61920 61921 2b76f56 60 API calls 61919->61921 61923 2b7d18e 61920->61923 61922 2b7d1b6 InterlockedIncrement 61921->61922 61924 2b7d1c6 61922->61924 61925 2b7d1cd RtlLeaveCriticalSection 61922->61925 61927 2b7d851 TlsGetValue 61923->61927 61926 2b727f3 SetWaitableTimer 61924->61926 61925->61923 61926->61925 61928 2b74ca4 61927->61928 61928->61882 61930 2b7b29f 61929->61930 61931 2b7b2c8 61930->61931 61932 2b7d9c0 83 API calls 61930->61932 61931->61885 61932->61931 61933->61892 61934->61892 61935->61892 61936->61892 61937->61891 61938->61797 61939->61800 61940->61580 61941->61583 61942->61583 61943->61587 61945 2b7d339 __EH_prolog 61944->61945 61946 2b827b5 _Allocate 60 API calls 61945->61946 61947 2b7d342 61946->61947 61948 2b71bfa RtlEnterCriticalSection 61947->61948 61950 2b7d550 61947->61950 61948->61590 61951 2b7d55a __EH_prolog 61950->61951 61954 2b726db RtlEnterCriticalSection 61951->61954 61953 2b7d5b0 61953->61948 61955 2b7277e 61954->61955 61956 2b72728 CreateWaitableTimerA 61954->61956 61959 2b727d5 RtlLeaveCriticalSection 61955->61959 61961 2b827b5 _Allocate 60 API calls 61955->61961 61957 2b7275b SetWaitableTimer 61956->61957 61958 2b72738 GetLastError 61956->61958 61957->61955 61960 2b7fb10 Mailbox 68 API calls 61958->61960 61959->61953 61962 2b72745 61960->61962 61963 2b7278a 61961->61963 61998 2b71712 61962->61998 61965 2b727c8 61963->61965 61966 2b827b5 _Allocate 60 API calls 61963->61966 62004 2b76dfe CloseHandle 61965->62004 61968 2b727a9 61966->61968 61970 2b71cf8 CreateEventA 61968->61970 61971 2b71d23 GetLastError 61970->61971 61972 2b71d52 CreateEventA 61970->61972 61975 2b71d33 61971->61975 61973 2b71d6b GetLastError 61972->61973 61990 2b71d96 61972->61990 61978 2b71d7b 61973->61978 61974 2b823b9 __beginthreadex 201 API calls 61976 2b71db6 61974->61976 61977 2b7fb10 Mailbox 68 API calls 61975->61977 61980 2b71dc6 GetLastError 61976->61980 61981 2b71e0d 61976->61981 61982 2b71d3c 61977->61982 61979 2b7fb10 Mailbox 68 API calls 61978->61979 61983 2b71d84 61979->61983 61988 2b71dd8 61980->61988 61984 2b71e11 WaitForSingleObject CloseHandle 61981->61984 61985 2b71e1d 61981->61985 61986 2b71712 60 API calls 61982->61986 61987 2b71712 60 API calls 61983->61987 61984->61985 61985->61965 61989 2b71d4e 61986->61989 61987->61990 61991 2b71ddf 61988->61991 61992 2b71ddc CloseHandle 61988->61992 61989->61972 61990->61974 61993 2b71dee 61991->61993 61994 2b71de9 CloseHandle 61991->61994 61992->61991 61995 2b7fb10 Mailbox 68 API calls 61993->61995 61994->61993 61996 2b71dfb 61995->61996 61997 2b71712 60 API calls 61996->61997 61997->61981 61999 2b7171c __EH_prolog 61998->61999 62000 2b7173e 61999->62000 62005 2b71815 59 API calls std::exception::exception 61999->62005 62000->61957 62002 2b71732 62006 2b7949e 60 API calls 2 library calls 62002->62006 62004->61959 62005->62002 62018 2b730ae WSASetLastError 62007->62018 62010 2b73c90 62012 2b716ae 62010->62012 62011 2b730ae 71 API calls 62011->62010 62013 2b716b8 __EH_prolog 62012->62013 62014 2b71701 62013->62014 62034 2b814d3 59 API calls std::exception::_Copy_str 62013->62034 62014->61508 62016 2b716dc 62035 2b7949e 60 API calls 2 library calls 62016->62035 62019 2b730ce 62018->62019 62020 2b730ec WSAStringToAddressA 62018->62020 62019->62020 62021 2b730d3 62019->62021 62022 2b79505 69 API calls 62020->62022 62023 2b7fb10 Mailbox 68 API calls 62021->62023 62024 2b73114 62022->62024 62025 2b730d8 62023->62025 62026 2b7311e _memcmp 62024->62026 62027 2b73154 62024->62027 62025->62010 62025->62011 62030 2b7fb10 Mailbox 68 API calls 62026->62030 62032 2b73135 62026->62032 62031 2b7fb10 Mailbox 68 API calls 62027->62031 62027->62032 62028 2b73193 62028->62025 62033 2b7fb10 Mailbox 68 API calls 62028->62033 62029 2b7fb10 Mailbox 68 API calls 62029->62028 62030->62032 62031->62032 62032->62028 62032->62029 62033->62025 62034->62016 62036->61606 62037->61607 62059 2b7353e 62038->62059 62042 2b72ae8 WSASetLastError connect 62041->62042 62043 2b72ad8 62041->62043 62044 2b79505 69 API calls 62042->62044 62045 2b7fb10 Mailbox 68 API calls 62043->62045 62046 2b72b07 62044->62046 62049 2b72add 62045->62049 62047 2b7fb10 Mailbox 68 API calls 62046->62047 62046->62049 62047->62049 62048 2b7fb10 Mailbox 68 API calls 62050 2b72b1b 62048->62050 62049->62048 62052 2b7fb10 Mailbox 68 API calls 62050->62052 62054 2b72b38 62050->62054 62052->62054 62053 2b72b59 62055 2b72b87 62053->62055 62093 2b72fb4 71 API calls Mailbox 62053->62093 62054->62055 62092 2b73027 71 API calls Mailbox 62054->62092 62055->61613 62057 2b72b7a 62057->62055 62058 2b7fb10 Mailbox 68 API calls 62057->62058 62058->62055 62060 2b73548 __EH_prolog 62059->62060 62061 2b73557 62060->62061 62062 2b73576 62060->62062 62089 2b71996 68 API calls __cinit 62061->62089 62081 2b72edd WSASetLastError WSASocketA 62062->62081 62066 2b735ad CreateIoCompletionPort 62067 2b735c5 GetLastError 62066->62067 62068 2b735db 62066->62068 62071 2b7fb10 Mailbox 68 API calls 62067->62071 62069 2b7fb10 Mailbox 68 API calls 62068->62069 62072 2b735d2 62069->62072 62070 2b7355f 62070->61610 62071->62072 62073 2b73626 62072->62073 62074 2b735ef 62072->62074 62091 2b7ceef 60 API calls 2 library calls 62073->62091 62075 2b7fb10 Mailbox 68 API calls 62074->62075 62076 2b73608 62075->62076 62090 2b729ee 76 API calls Mailbox 62076->62090 62079 2b73659 62080 2b7fb10 Mailbox 68 API calls 62079->62080 62080->62070 62082 2b7fb10 Mailbox 68 API calls 62081->62082 62083 2b72f0a WSAGetLastError 62082->62083 62084 2b72f21 62083->62084 62085 2b72f41 62083->62085 62086 2b72f27 setsockopt 62084->62086 62087 2b72f3c 62084->62087 62085->62066 62085->62070 62086->62087 62088 2b7fb10 Mailbox 68 API calls 62087->62088 62088->62085 62089->62070 62090->62070 62091->62079 62092->62053 62093->62057 62094 2bafe8c 62095 2bda3d1 CreateFileA 62094->62095 62096 4017b6 GetModuleHandleA 62097 40d6c4 GetModuleFileNameA 62096->62097 62098 40df4a 62097->62098 62099 402337 62100 4022ea RegSetValueExA 62099->62100 62103 40233e 62099->62103 62102 40dc57 RegCloseKey 62100->62102 62102->62103 62103->62102 62104 40183a 62105 40df3a RegCloseKey 62104->62105 62106 2b7104d 62107 2b823a4 __cinit 68 API calls 62106->62107 62108 2b71057 62107->62108 62111 2b71aa9 InterlockedIncrement 62108->62111 62112 2b71ac5 WSAStartup InterlockedExchange 62111->62112 62113 2b7105c 62111->62113 62112->62113

                                                                                                            Executed Functions

                                                                                                            Function 02B75E59 Relevance: 70.2, APIs: 34, Strings: 6, Instructions: 210memorysleeplibraryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 0 2b75e59-2b760e7 RtlInitializeCriticalSection GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress call 2b742c7 GetTickCount call 2b759f4 GetVersionExA call 2b83750 call 2b81fac * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2b83750 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2b81fac * 4 QueryPerformanceCounter Sleep call 2b81fac * 2 call 2b83750 * 2 45 2b760eb-2b760ed 0->45 46 2b760f6-2b760f8 45->46 47 2b760ef-2b760f4 45->47 48 2b76105-2b76134 RtlEnterCriticalSection RtlLeaveCriticalSection 46->48 49 2b760fa 46->49 50 2b760ff Sleep 47->50 51 2b76289-2b762b7 48->51 49->50 50->48 53 2b762b9-2b762bd 51->53 54 2b762bf-2b762c3 53->54 55 2b7632b-2b76331 53->55 56 2b762c5 54->56 57 2b76332 55->57 58 2b76388-2b7638b 55->58 56->51 60 2b762c7-2b762c9 56->60 57->58 61 2b76334-2b7633e 57->61 59 2b7638e-2b7638f 58->59 62 2b76391 59->62 63 2b7636b-2b76372 59->63 64 2b762ce-2b762d8 60->64 65 2b763b7-2b763c8 61->65 68 2b76395-2b763a2 62->68 66 2b76374-2b76383 63->66 67 2b763e1-2b763e4 63->67 64->53 69 2b762da-2b76304 64->69 70 2b763e7 65->70 71 2b763ca-2b763e0 65->71 72 2b76385 66->72 73 2b7635a 66->73 67->70 68->68 74 2b763a4-2b763b2 68->74 69->64 80 2b76306-2b76315 69->80 70->59 75 2b763e9-2b76443 70->75 71->67 72->58 74->65 77 2b76445-2b7644b 75->77 78 2b7645f-2b76469 75->78 81 2b76451-2b7645e call 2b7534d 77->81 82 2b7644d-2b7644f 77->82 78->45 79 2b7646f-2b76493 call 2b83750 call 2b7439c 78->79 79->45 90 2b76499-2b764c4 RtlEnterCriticalSection RtlLeaveCriticalSection call 2b8133c 79->90 80->56 85 2b76317-2b76327 80->85 81->78 82->78 85->55 93 2b764c6-2b764d5 call 2b8133c 90->93 94 2b7650e-2b76526 call 2b8133c 90->94 93->94 101 2b764d7-2b764e6 call 2b8133c 93->101 99 2b767cd-2b767dc call 2b8133c 94->99 100 2b7652c-2b7652e 94->100 109 2b76821-2b76830 call 2b8133c 99->109 110 2b767de-2b767e0 99->110 100->99 103 2b76534-2b765df call 2b81fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2b83750 * 5 call 2b7439c * 2 100->103 101->94 108 2b764e8-2b764f7 call 2b8133c 101->108 155 2b765e1-2b765e3 103->155 156 2b7661c 103->156 108->94 123 2b764f9-2b76508 call 2b8133c 108->123 121 2b76845-2b76854 call 2b8133c 109->121 122 2b76832-2b7683b call 2b75c0c call 2b75d1a 109->122 110->109 114 2b767e2-2b7681c call 2b83750 RtlEnterCriticalSection RtlLeaveCriticalSection 110->114 114->45 121->45 135 2b7685a-2b7685c 121->135 137 2b76840 122->137 123->45 123->94 135->45 138 2b76862-2b7687b call 2b7439c 135->138 137->45 138->45 144 2b76881-2b76950 call 2b81418 call 2b71ba7 138->144 153 2b76957-2b76978 RtlEnterCriticalSection 144->153 154 2b76952 call 2b7143f 144->154 159 2b76984-2b769eb RtlLeaveCriticalSection call 2b73c67 call 2b73d7e call 2b77336 153->159 160 2b7697a-2b76981 153->160 154->153 155->156 161 2b765e5-2b765f7 call 2b8133c 155->161 157 2b76620-2b7664e call 2b81fac call 2b83750 call 2b7439c 156->157 179 2b76650-2b7665f call 2b825e6 157->179 180 2b7668f-2b76698 call 2b81f74 157->180 181 2b76b53-2b76b67 call 2b77fff 159->181 182 2b769f1-2b76a33 call 2b79721 159->182 160->159 161->156 168 2b765f9-2b7661a call 2b7439c 161->168 168->157 179->180 195 2b76661 179->195 193 2b7669e-2b766b6 call 2b827b5 180->193 194 2b767bb-2b767c8 180->194 181->45 191 2b76b1d-2b76b2e call 2b773e5 182->191 192 2b76a39-2b76a40 182->192 201 2b76b33-2b76b4e call 2b733b2 191->201 197 2b76a43-2b76a48 192->197 207 2b766c2 193->207 208 2b766b8-2b766c0 call 2b78733 193->208 194->45 199 2b76666-2b76678 call 2b81850 195->199 197->197 202 2b76a4a-2b76a8f call 2b79721 197->202 210 2b7667d-2b7668d call 2b825e6 199->210 211 2b7667a 199->211 201->181 202->191 216 2b76a95-2b76a9b 202->216 209 2b766c4-2b76752 call 2b7984b call 2b73863 call 2b75119 call 2b73863 call 2b79af1 call 2b79c0b 207->209 208->209 236 2b76757-2b76768 209->236 210->180 210->199 211->210 220 2b76a9e-2b76aa3 216->220 220->220 222 2b76aa5-2b76ae0 call 2b79721 220->222 222->191 228 2b76ae2-2b76b16 call 2b7c113 222->228 232 2b76b1b-2b76b1c 228->232 232->191 237 2b7676f-2b7679a Sleep call 2b808f0 236->237 238 2b7676a call 2b7380b 236->238 242 2b767a6-2b767b4 237->242 243 2b7679c-2b767a5 call 2b74100 237->243 238->237 242->194 245 2b767b6 call 2b7380b 242->245 243->242 245->194
                                                                                                            APIs
                                                                                                            • RtlInitializeCriticalSection.NTDLL(02BA4FD0), ref: 02B75E8D
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02B75EA4
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B75EAD
                                                                                                            • GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02B75EBC
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B75EBF
                                                                                                            • GetTickCount.KERNEL32 ref: 02B75ED3
                                                                                                              • Part of subcall function 02B759F4: _malloc.LIBCMT ref: 02B75A02
                                                                                                            • GetVersionExA.KERNEL32(02BA4E20), ref: 02B75F00
                                                                                                            • _malloc.LIBCMT ref: 02B75F2C
                                                                                                              • Part of subcall function 02B81FAC: __FF_MSGBANNER.LIBCMT ref: 02B81FC3
                                                                                                              • Part of subcall function 02B81FAC: __NMSG_WRITE.LIBCMT ref: 02B81FCA
                                                                                                              • Part of subcall function 02B81FAC: RtlAllocateHeap.NTDLL(00850000,00000000,00000001), ref: 02B81FEF
                                                                                                            • _malloc.LIBCMT ref: 02B75F3C
                                                                                                            • _malloc.LIBCMT ref: 02B75F47
                                                                                                            • _malloc.LIBCMT ref: 02B75F52
                                                                                                            • _malloc.LIBCMT ref: 02B75F5D
                                                                                                            • _malloc.LIBCMT ref: 02B75F68
                                                                                                            • _malloc.LIBCMT ref: 02B75F73
                                                                                                            • _malloc.LIBCMT ref: 02B75F7F
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000004), ref: 02B75F96
                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B75F9F
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02B75FAB
                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B75FAE
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000400), ref: 02B75FB9
                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B75FBC
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B75FF3
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B76000
                                                                                                            • _malloc.LIBCMT ref: 02B76021
                                                                                                            • _malloc.LIBCMT ref: 02B7602F
                                                                                                            • _malloc.LIBCMT ref: 02B76036
                                                                                                            • _malloc.LIBCMT ref: 02B76057
                                                                                                            • QueryPerformanceCounter.KERNEL32(00000200), ref: 02B76063
                                                                                                            • Sleep.KERNEL32(00000000), ref: 02B76071
                                                                                                            • _malloc.LIBCMT ref: 02B7607D
                                                                                                            • _malloc.LIBCMT ref: 02B7608D
                                                                                                            • Sleep.KERNEL32(0000EA60), ref: 02B760FF
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B7610A
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B7611B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _malloc$Heap$CriticalSection$Allocate$Process$AddressEnterHandleLeaveModuleProcSleep$CountCounterInitializePerformanceQueryTickVersion
                                                                                                            • String ID: D}Q$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$sprintf$strcat
                                                                                                            • API String ID: 4273019447-2149324451
                                                                                                            • Opcode ID: 21c6d0ecd3b64d786abfe8841e9051626952e26510862f5a596b1bbadaf7a04f
                                                                                                            • Instruction ID: 4fc3266e084ffa12b1184d960cf5ed5a55797c93847b9228bccff5b727559192
                                                                                                            • Opcode Fuzzy Hash: 21c6d0ecd3b64d786abfe8841e9051626952e26510862f5a596b1bbadaf7a04f
                                                                                                            • Instruction Fuzzy Hash: 7871C371D993409FD721BF74AC0AB5B7BE8AF85704F0408A9F58C97280DBB88915CF96
                                                                                                            Function 02B7E9A6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87libraryloaderCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1065 2b7e9a6-2b7e9c9 LoadLibraryA 1066 2b7e9cf-2b7e9dd GetProcAddress 1065->1066 1067 2b7ea89-2b7ea90 1065->1067 1068 2b7e9e3-2b7e9f3 1066->1068 1069 2b7ea82-2b7ea83 FreeLibrary 1066->1069 1070 2b7e9f5-2b7ea01 GetAdaptersInfo 1068->1070 1069->1067 1071 2b7ea03 1070->1071 1072 2b7ea39-2b7ea41 1070->1072 1073 2b7ea05-2b7ea0c 1071->1073 1074 2b7ea43-2b7ea49 call 2b826cf 1072->1074 1075 2b7ea4a-2b7ea4f 1072->1075 1078 2b7ea16-2b7ea1e 1073->1078 1079 2b7ea0e-2b7ea12 1073->1079 1074->1075 1076 2b7ea51-2b7ea54 1075->1076 1077 2b7ea7d-2b7ea81 1075->1077 1076->1077 1081 2b7ea56-2b7ea5b 1076->1081 1077->1069 1083 2b7ea21-2b7ea26 1078->1083 1079->1073 1082 2b7ea14 1079->1082 1085 2b7ea5d-2b7ea65 1081->1085 1086 2b7ea68-2b7ea73 call 2b827b5 1081->1086 1082->1072 1083->1083 1087 2b7ea28-2b7ea35 call 2b7e6f5 1083->1087 1085->1086 1086->1077 1092 2b7ea75-2b7ea78 1086->1092 1087->1072 1092->1070
                                                                                                            APIs
                                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02B7E9BC
                                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02B7E9D5
                                                                                                            • GetAdaptersInfo.IPHLPAPI(?,?), ref: 02B7E9FA
                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 02B7EA83
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Library$AdaptersAddressFreeInfoLoadProc
                                                                                                            • String ID: GetAdaptersInfo$iphlpapi.dll
                                                                                                            • API String ID: 514930453-3114217049
                                                                                                            • Opcode ID: af0a06a4dbae4d1ade8db3c8581e995ae27d457ff73d97a136044c0146794931
                                                                                                            • Instruction ID: 64f85c761a0da934d769b9582d923694eb6581f07052ee5cf1c6583bc0220563
                                                                                                            • Opcode Fuzzy Hash: af0a06a4dbae4d1ade8db3c8581e995ae27d457ff73d97a136044c0146794931
                                                                                                            • Instruction Fuzzy Hash: 0821B175A002099BDB21DFA8D884AEEBBB9FF05314F1400E9E525E7201DB30DA45CBA0
                                                                                                            Function 02B72B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132networkCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1093 2b72b95-2b72baf 1094 2b72bc7-2b72bcb 1093->1094 1095 2b72bb1-2b72bb9 call 2b7fb10 1093->1095 1097 2b72bdf 1094->1097 1098 2b72bcd-2b72bd0 1094->1098 1103 2b72bbf-2b72bc2 1095->1103 1099 2b72be2-2b72c11 WSASetLastError WSARecv call 2b79505 1097->1099 1098->1097 1101 2b72bd2-2b72bdd call 2b7fb10 1098->1101 1105 2b72c16-2b72c1d 1099->1105 1101->1103 1106 2b72d30 1103->1106 1108 2b72c1f-2b72c2a call 2b7fb10 1105->1108 1109 2b72c2c-2b72c32 1105->1109 1110 2b72d32-2b72d38 1106->1110 1118 2b72c3f-2b72c42 1108->1118 1112 2b72c46-2b72c48 1109->1112 1113 2b72c34-2b72c39 call 2b7fb10 1109->1113 1116 2b72c4f-2b72c60 call 2b7fb10 1112->1116 1117 2b72c4a-2b72c4d 1112->1117 1113->1118 1116->1110 1120 2b72c66-2b72c69 1116->1120 1117->1120 1118->1112 1122 2b72c73-2b72c76 1120->1122 1123 2b72c6b-2b72c6d 1120->1123 1122->1106 1126 2b72c7c-2b72c9a call 2b7fb10 call 2b7166f 1122->1126 1123->1122 1125 2b72d22-2b72d2d call 2b71996 1123->1125 1125->1106 1133 2b72cbc-2b72cfa WSASetLastError select call 2b79505 1126->1133 1134 2b72c9c-2b72cba call 2b7fb10 call 2b7166f 1126->1134 1139 2b72cfc-2b72d06 call 2b7fb10 1133->1139 1140 2b72d08 1133->1140 1134->1106 1134->1133 1148 2b72d19-2b72d1d 1139->1148 1143 2b72d15-2b72d17 1140->1143 1144 2b72d0a-2b72d12 call 2b7fb10 1140->1144 1143->1106 1143->1148 1144->1143 1148->1099
                                                                                                            APIs
                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B72BE4
                                                                                                            • WSARecv.WS2_32(?,?,?,?,?,00000000,00000000), ref: 02B72C07
                                                                                                              • Part of subcall function 02B79505: WSAGetLastError.WS2_32(00000000,?,?,02B72A51), ref: 02B79513
                                                                                                            • WSASetLastError.WS2_32 ref: 02B72CD3
                                                                                                            • select.WS2_32(?,?,00000000,00000000,00000000), ref: 02B72CE7
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$Recvselect
                                                                                                            • String ID: 3'
                                                                                                            • API String ID: 886190287-280543908
                                                                                                            • Opcode ID: 0a18df286c1ea0aee6e2b575a6499c82c2af87b1d9c5a7c050286b3f873c24c3
                                                                                                            • Instruction ID: f4d5d58402116f00980b881094d678e1252817fd81e250a114bedac1c11e6fae
                                                                                                            • Opcode Fuzzy Hash: 0a18df286c1ea0aee6e2b575a6499c82c2af87b1d9c5a7c050286b3f873c24c3
                                                                                                            • Instruction Fuzzy Hash: 6A414DB1A083019FD7209F74D91476BBBE9EF94394F104D9EE8A987280EB74D540CBA2
                                                                                                            Function 02B7E8A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100fileCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1150 2b7e8a2-2b7e8cd CreateFileA 1151 2b7e8d3-2b7e8e8 1150->1151 1152 2b7e99e-2b7e9a5 1150->1152 1153 2b7e8eb-2b7e90d DeviceIoControl 1151->1153 1154 2b7e946-2b7e94e 1153->1154 1155 2b7e90f-2b7e917 1153->1155 1156 2b7e957-2b7e959 1154->1156 1157 2b7e950-2b7e956 call 2b826cf 1154->1157 1158 2b7e920-2b7e925 1155->1158 1159 2b7e919-2b7e91e 1155->1159 1162 2b7e994-2b7e99d CloseHandle 1156->1162 1163 2b7e95b-2b7e95e 1156->1163 1157->1156 1158->1154 1160 2b7e927-2b7e92f 1158->1160 1159->1154 1164 2b7e932-2b7e937 1160->1164 1162->1152 1166 2b7e960-2b7e969 GetLastError 1163->1166 1167 2b7e97a-2b7e987 call 2b827b5 1163->1167 1164->1164 1168 2b7e939-2b7e945 call 2b7e6f5 1164->1168 1166->1162 1169 2b7e96b-2b7e96e 1166->1169 1167->1162 1174 2b7e989-2b7e98f 1167->1174 1168->1154 1169->1167 1173 2b7e970-2b7e977 1169->1173 1173->1167 1174->1153
                                                                                                            APIs
                                                                                                            • CreateFileA.KERNEL32(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000), ref: 02B7E8C1
                                                                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000400,?,00000000), ref: 02B7E8FF
                                                                                                            • GetLastError.KERNEL32 ref: 02B7E960
                                                                                                            • CloseHandle.KERNEL32(?), ref: 02B7E997
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseControlCreateDeviceErrorFileHandleLast
                                                                                                            • String ID: \\.\PhysicalDrive0
                                                                                                            • API String ID: 4026078076-1180397377
                                                                                                            • Opcode ID: 51949d7674582da7c7a961169542dcd707823b93bedb0ce92bb757b7a8770c0a
                                                                                                            • Instruction ID: 7a4235825bc43221eff0198cbbfd9665bfa2a0f917e73c6ee0f7848cf7e52b94
                                                                                                            • Opcode Fuzzy Hash: 51949d7674582da7c7a961169542dcd707823b93bedb0ce92bb757b7a8770c0a
                                                                                                            • Instruction Fuzzy Hash: 5E319472D00215EBDB25DF94D884BFEBBB8EF45754F1441EAE615A7280D7709A04CBA0
                                                                                                            Function 02BAF21D Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 176COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(-C448D760), ref: 02BD3978
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002BA8000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BA8000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2ba8000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID: ^0s
                                                                                                            • API String ID: 2962429428-4263405714
                                                                                                            • Opcode ID: e61357ed6b5387e2016a3e10f4e4a3e0d52b8470794f19f15ec240b135b6413a
                                                                                                            • Instruction ID: 5039cd7b7d3629fe5284e5770691ff84cd434378217e963113025045f9140cce
                                                                                                            • Opcode Fuzzy Hash: e61357ed6b5387e2016a3e10f4e4a3e0d52b8470794f19f15ec240b135b6413a
                                                                                                            • Instruction Fuzzy Hash: DC51E0F391C2109FE308AE29EC9577AB7E9FB88710F164A2DFAC9C3704D6305C408686
                                                                                                            Function 02BB0010 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 172COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • CloseHandle.KERNEL32(-C448D760), ref: 02BD3978
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002BA8000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BA8000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2ba8000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle
                                                                                                            • String ID: ^0s
                                                                                                            • API String ID: 2962429428-4263405714
                                                                                                            • Opcode ID: cf2c784872a2197bf033916813916896aecaa4c89dec95eeb82f5eed13489d62
                                                                                                            • Instruction ID: 7a5d41c049ba7b8660eab319cd47af86e2785985cb5d20cad5c11e39a636cce6
                                                                                                            • Opcode Fuzzy Hash: cf2c784872a2197bf033916813916896aecaa4c89dec95eeb82f5eed13489d62
                                                                                                            • Instruction Fuzzy Hash: 3A51E1F391C2109FE308AE29EC9577AF7E9EB88710F164A2DFAC9C7704D6315C408686
                                                                                                            Function 02B75DEE Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 245COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 248 2b75dee-2b75dfc 249 2b75e03-2b75e16 248->249 249->249 250 2b75e18-2b75e33 249->250 251 2b75e35-2b75e38 250->251 252 2b75e9c-2b75ea6 250->252 253 2b75eab-2b75ebf GetProcAddress GetModuleHandleA GetProcAddress 251->253 254 2b75e3a-2b75e58 251->254 252->253 255 2b75ec6-2b760e7 GetTickCount call 2b759f4 GetVersionExA call 2b83750 call 2b81fac * 8 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap GetProcessHeap RtlAllocateHeap call 2b83750 * 3 RtlEnterCriticalSection RtlLeaveCriticalSection call 2b81fac * 4 QueryPerformanceCounter Sleep call 2b81fac * 2 call 2b83750 * 2 253->255 256 2b75ec1 call 2b742c7 253->256 299 2b760eb-2b760ed 255->299 256->255 300 2b760f6-2b760f8 299->300 301 2b760ef-2b760f4 299->301 302 2b76105-2b76134 RtlEnterCriticalSection RtlLeaveCriticalSection 300->302 303 2b760fa 300->303 304 2b760ff Sleep 301->304 305 2b76289-2b762b7 302->305 303->304 304->302 307 2b762b9-2b762bd 305->307 308 2b762bf-2b762c3 307->308 309 2b7632b-2b76331 307->309 310 2b762c5 308->310 311 2b76332 309->311 312 2b76388-2b7638b 309->312 310->305 314 2b762c7-2b762c9 310->314 311->312 315 2b76334-2b7633e 311->315 313 2b7638e-2b7638f 312->313 316 2b76391 313->316 317 2b7636b-2b76372 313->317 318 2b762ce-2b762d8 314->318 319 2b763b7-2b763c8 315->319 322 2b76395-2b763a2 316->322 320 2b76374-2b76383 317->320 321 2b763e1-2b763e4 317->321 318->307 323 2b762da-2b76304 318->323 324 2b763e7 319->324 325 2b763ca-2b763e0 319->325 326 2b76385 320->326 327 2b7635a 320->327 321->324 322->322 328 2b763a4-2b763b2 322->328 323->318 334 2b76306-2b76315 323->334 324->313 329 2b763e9-2b76443 324->329 325->321 326->312 328->319 331 2b76445-2b7644b 329->331 332 2b7645f-2b76469 329->332 335 2b76451-2b7645e call 2b7534d 331->335 336 2b7644d-2b7644f 331->336 332->299 333 2b7646f-2b76493 call 2b83750 call 2b7439c 332->333 333->299 344 2b76499-2b764c4 RtlEnterCriticalSection RtlLeaveCriticalSection call 2b8133c 333->344 334->310 339 2b76317-2b76327 334->339 335->332 336->332 339->309 347 2b764c6-2b764d5 call 2b8133c 344->347 348 2b7650e-2b76526 call 2b8133c 344->348 347->348 355 2b764d7-2b764e6 call 2b8133c 347->355 353 2b767cd-2b767dc call 2b8133c 348->353 354 2b7652c-2b7652e 348->354 363 2b76821-2b76830 call 2b8133c 353->363 364 2b767de-2b767e0 353->364 354->353 357 2b76534-2b765df call 2b81fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2b83750 * 5 call 2b7439c * 2 354->357 355->348 362 2b764e8-2b764f7 call 2b8133c 355->362 409 2b765e1-2b765e3 357->409 410 2b7661c 357->410 362->348 377 2b764f9-2b76508 call 2b8133c 362->377 375 2b76845-2b76854 call 2b8133c 363->375 376 2b76832-2b76840 call 2b75c0c call 2b75d1a 363->376 364->363 368 2b767e2-2b7681c call 2b83750 RtlEnterCriticalSection RtlLeaveCriticalSection 364->368 368->299 375->299 389 2b7685a-2b7685c 375->389 376->299 377->299 377->348 389->299 392 2b76862-2b7687b call 2b7439c 389->392 392->299 398 2b76881-2b76950 call 2b81418 call 2b71ba7 392->398 407 2b76957-2b76978 RtlEnterCriticalSection 398->407 408 2b76952 call 2b7143f 398->408 413 2b76984-2b769eb RtlLeaveCriticalSection call 2b73c67 call 2b73d7e call 2b77336 407->413 414 2b7697a-2b76981 407->414 408->407 409->410 415 2b765e5-2b765f7 call 2b8133c 409->415 411 2b76620-2b7664e call 2b81fac call 2b83750 call 2b7439c 410->411 433 2b76650-2b7665f call 2b825e6 411->433 434 2b7668f-2b76698 call 2b81f74 411->434 435 2b76b53-2b76b67 call 2b77fff 413->435 436 2b769f1-2b76a33 call 2b79721 413->436 414->413 415->410 422 2b765f9-2b7661a call 2b7439c 415->422 422->411 433->434 449 2b76661 433->449 447 2b7669e-2b766b6 call 2b827b5 434->447 448 2b767bb-2b767c8 434->448 435->299 445 2b76b1d-2b76b4e call 2b773e5 call 2b733b2 436->445 446 2b76a39-2b76a40 436->446 445->435 451 2b76a43-2b76a48 446->451 461 2b766c2 447->461 462 2b766b8-2b766c0 call 2b78733 447->462 448->299 453 2b76666-2b76678 call 2b81850 449->453 451->451 456 2b76a4a-2b76a8f call 2b79721 451->456 464 2b7667d-2b7668d call 2b825e6 453->464 465 2b7667a 453->465 456->445 470 2b76a95-2b76a9b 456->470 463 2b766c4-2b76768 call 2b7984b call 2b73863 call 2b75119 call 2b73863 call 2b79af1 call 2b79c0b 461->463 462->463 491 2b7676f-2b7679a Sleep call 2b808f0 463->491 492 2b7676a call 2b7380b 463->492 464->434 464->453 465->464 474 2b76a9e-2b76aa3 470->474 474->474 476 2b76aa5-2b76ae0 call 2b79721 474->476 476->445 482 2b76ae2-2b76b1c call 2b7c113 476->482 482->445 496 2b767a6-2b767b4 491->496 497 2b7679c-2b767a5 call 2b74100 491->497 492->491 496->448 499 2b767b6 call 2b7380b 496->499 497->496 499->448
                                                                                                            Strings
                                                                                                            • D}Q, xrefs: 02B75ED9
                                                                                                            • ntdll.dll, xrefs: 02B75EB4
                                                                                                            • gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d, xrefs: 02B7603E
                                                                                                            • strcat, xrefs: 02B75EAF
                                                                                                            • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02B76124
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: D}Q$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$gpt=%.8x&advizor=%d&box=%d&hp=%x&lp=%x&line=%d&os=%d.%d.%04d&flag=%d&itd=%d$ntdll.dll$strcat
                                                                                                            • API String ID: 0-2249911341
                                                                                                            • Opcode ID: e0b169e5eb221538a1b0a571d1d40117db4e1864d8ee6854873bba8c3baade96
                                                                                                            • Instruction ID: f748d2f59b7382f10283ce78372d48e4e8a286a8a0aaa0022bbc3396b8400341
                                                                                                            • Opcode Fuzzy Hash: e0b169e5eb221538a1b0a571d1d40117db4e1864d8ee6854873bba8c3baade96
                                                                                                            • Instruction Fuzzy Hash: E7713671D593809FD320BF78A80AB5B7BE4AF95314F1408AEF58C97241DBB58816CF92
                                                                                                            Function 02B762A7 Relevance: 56.7, APIs: 19, Strings: 13, Instructions: 698COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 502 2b762a7-2b762b7 503 2b762b9-2b762bd 502->503 504 2b762bf-2b762c3 503->504 505 2b7632b-2b76331 503->505 506 2b762c5 504->506 507 2b76332 505->507 508 2b76388-2b7638b 505->508 510 2b762c7-2b762c9 506->510 511 2b76289-2b762a3 506->511 507->508 512 2b76334-2b7633e 507->512 509 2b7638e-2b7638f 508->509 513 2b76391 509->513 514 2b7636b-2b76372 509->514 515 2b762ce-2b762d8 510->515 511->502 516 2b763b7-2b763c8 512->516 519 2b76395-2b763a2 513->519 517 2b76374-2b76383 514->517 518 2b763e1-2b763e4 514->518 515->503 520 2b762da-2b76304 515->520 521 2b763e7 516->521 522 2b763ca-2b763e0 516->522 523 2b76385 517->523 524 2b7635a 517->524 518->521 519->519 525 2b763a4-2b763b2 519->525 520->515 532 2b76306-2b76315 520->532 521->509 526 2b763e9-2b76443 521->526 522->518 523->508 525->516 528 2b76445-2b7644b 526->528 529 2b7645f-2b76469 526->529 533 2b76451-2b7645e call 2b7534d 528->533 534 2b7644d-2b7644f 528->534 530 2b7646f-2b76493 call 2b83750 call 2b7439c 529->530 531 2b760eb-2b760ed 529->531 530->531 547 2b76499-2b764c4 RtlEnterCriticalSection RtlLeaveCriticalSection call 2b8133c 530->547 538 2b760f6-2b760f8 531->538 539 2b760ef-2b760f4 531->539 532->506 537 2b76317-2b76327 532->537 533->529 534->529 537->505 542 2b76105-2b76134 RtlEnterCriticalSection RtlLeaveCriticalSection 538->542 543 2b760fa 538->543 544 2b760ff Sleep 539->544 542->511 543->544 544->542 550 2b764c6-2b764d5 call 2b8133c 547->550 551 2b7650e-2b76526 call 2b8133c 547->551 550->551 558 2b764d7-2b764e6 call 2b8133c 550->558 556 2b767cd-2b767dc call 2b8133c 551->556 557 2b7652c-2b7652e 551->557 566 2b76821-2b76830 call 2b8133c 556->566 567 2b767de-2b767e0 556->567 557->556 560 2b76534-2b765df call 2b81fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2b83750 * 5 call 2b7439c * 2 557->560 558->551 565 2b764e8-2b764f7 call 2b8133c 558->565 612 2b765e1-2b765e3 560->612 613 2b7661c 560->613 565->551 580 2b764f9-2b76508 call 2b8133c 565->580 578 2b76845-2b76854 call 2b8133c 566->578 579 2b76832-2b76840 call 2b75c0c call 2b75d1a 566->579 567->566 571 2b767e2-2b7681c call 2b83750 RtlEnterCriticalSection RtlLeaveCriticalSection 567->571 571->531 578->531 592 2b7685a-2b7685c 578->592 579->531 580->531 580->551 592->531 595 2b76862-2b7687b call 2b7439c 592->595 595->531 601 2b76881-2b76950 call 2b81418 call 2b71ba7 595->601 610 2b76957-2b76978 RtlEnterCriticalSection 601->610 611 2b76952 call 2b7143f 601->611 616 2b76984-2b769eb RtlLeaveCriticalSection call 2b73c67 call 2b73d7e call 2b77336 610->616 617 2b7697a-2b76981 610->617 611->610 612->613 618 2b765e5-2b765f7 call 2b8133c 612->618 614 2b76620-2b7664e call 2b81fac call 2b83750 call 2b7439c 613->614 636 2b76650-2b7665f call 2b825e6 614->636 637 2b7668f-2b76698 call 2b81f74 614->637 638 2b76b53-2b76b67 call 2b77fff 616->638 639 2b769f1-2b76a33 call 2b79721 616->639 617->616 618->613 625 2b765f9-2b7661a call 2b7439c 618->625 625->614 636->637 652 2b76661 636->652 650 2b7669e-2b766b6 call 2b827b5 637->650 651 2b767bb-2b767c8 637->651 638->531 648 2b76b1d-2b76b4e call 2b773e5 call 2b733b2 639->648 649 2b76a39-2b76a40 639->649 648->638 654 2b76a43-2b76a48 649->654 664 2b766c2 650->664 665 2b766b8-2b766c0 call 2b78733 650->665 651->531 656 2b76666-2b76678 call 2b81850 652->656 654->654 659 2b76a4a-2b76a8f call 2b79721 654->659 667 2b7667d-2b7668d call 2b825e6 656->667 668 2b7667a 656->668 659->648 673 2b76a95-2b76a9b 659->673 666 2b766c4-2b76768 call 2b7984b call 2b73863 call 2b75119 call 2b73863 call 2b79af1 call 2b79c0b 664->666 665->666 694 2b7676f-2b7679a Sleep call 2b808f0 666->694 695 2b7676a call 2b7380b 666->695 667->637 667->656 668->667 677 2b76a9e-2b76aa3 673->677 677->677 679 2b76aa5-2b76ae0 call 2b79721 677->679 679->648 685 2b76ae2-2b76b1c call 2b7c113 679->685 685->648 699 2b767a6-2b767b4 694->699 700 2b7679c-2b767a5 call 2b74100 694->700 695->694 699->651 702 2b767b6 call 2b7380b 699->702 700->699 702->651
                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B7649E
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B764AF
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                            • String ID: $$1Q$%d;$<htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                                                                            • API String ID: 3168844106-115409235
                                                                                                            • Opcode ID: 6b66b8ac120ac290b4148a5df348d9ee9e4e4d79a3618d6f5a92af94a29253cc
                                                                                                            • Instruction ID: d4f127eba0ca3663d7fe0699c19c1f2e1a70a40c1d23771dd6d3456ecd0356fe
                                                                                                            • Opcode Fuzzy Hash: 6b66b8ac120ac290b4148a5df348d9ee9e4e4d79a3618d6f5a92af94a29253cc
                                                                                                            • Instruction Fuzzy Hash: 913276326083819FD735EF24D851BEFBBE9EF86314F1449ADE4A987291DB709005CB52
                                                                                                            Function 02B76364 Relevance: 42.4, APIs: 14, Strings: 10, Instructions: 386COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 705 2b76364-2b76372 706 2b76374-2b76383 705->706 707 2b763e1-2b763e4 705->707 708 2b76385 706->708 709 2b7635a 706->709 710 2b763e7 707->710 711 2b76388-2b7638b 708->711 712 2b7638e-2b7638f 710->712 713 2b763e9-2b76443 710->713 711->712 714 2b76391 712->714 715 2b7636b-2b76372 712->715 716 2b76445-2b7644b 713->716 717 2b7645f-2b76469 713->717 720 2b76395-2b763a2 714->720 715->706 715->707 721 2b76451-2b7645e call 2b7534d 716->721 722 2b7644d-2b7644f 716->722 718 2b7646f-2b76493 call 2b83750 call 2b7439c 717->718 719 2b760eb-2b760ed 717->719 718->719 740 2b76499-2b764c4 RtlEnterCriticalSection RtlLeaveCriticalSection call 2b8133c 718->740 726 2b760f6-2b760f8 719->726 727 2b760ef-2b760f4 719->727 720->720 725 2b763a4-2b763b2 720->725 721->717 722->717 730 2b763b7-2b763c8 725->730 731 2b76105-2b76134 RtlEnterCriticalSection RtlLeaveCriticalSection 726->731 732 2b760fa 726->732 733 2b760ff Sleep 727->733 730->710 736 2b763ca-2b763e0 730->736 734 2b76289-2b762b7 731->734 732->733 733->731 739 2b762b9-2b762bd 734->739 736->707 741 2b762bf-2b762c3 739->741 742 2b7632b-2b76331 739->742 748 2b764c6-2b764d5 call 2b8133c 740->748 749 2b7650e-2b76526 call 2b8133c 740->749 744 2b762c5 741->744 742->711 746 2b76332 742->746 744->734 747 2b762c7-2b762c9 744->747 746->711 750 2b76334-2b7633e 746->750 751 2b762ce-2b762d8 747->751 748->749 759 2b764d7-2b764e6 call 2b8133c 748->759 757 2b767cd-2b767dc call 2b8133c 749->757 758 2b7652c-2b7652e 749->758 750->730 751->739 754 2b762da-2b76304 751->754 754->751 765 2b76306-2b76315 754->765 770 2b76821-2b76830 call 2b8133c 757->770 771 2b767de-2b767e0 757->771 758->757 762 2b76534-2b765df call 2b81fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2b83750 * 5 call 2b7439c * 2 758->762 759->749 768 2b764e8-2b764f7 call 2b8133c 759->768 816 2b765e1-2b765e3 762->816 817 2b7661c 762->817 765->744 769 2b76317-2b76327 765->769 768->749 784 2b764f9-2b76508 call 2b8133c 768->784 769->742 782 2b76845-2b76854 call 2b8133c 770->782 783 2b76832-2b76840 call 2b75c0c call 2b75d1a 770->783 771->770 775 2b767e2-2b7681c call 2b83750 RtlEnterCriticalSection RtlLeaveCriticalSection 771->775 775->719 782->719 796 2b7685a-2b7685c 782->796 783->719 784->719 784->749 796->719 799 2b76862-2b7687b call 2b7439c 796->799 799->719 805 2b76881-2b76950 call 2b81418 call 2b71ba7 799->805 814 2b76957-2b76978 RtlEnterCriticalSection 805->814 815 2b76952 call 2b7143f 805->815 820 2b76984-2b769eb RtlLeaveCriticalSection call 2b73c67 call 2b73d7e call 2b77336 814->820 821 2b7697a-2b76981 814->821 815->814 816->817 822 2b765e5-2b765f7 call 2b8133c 816->822 818 2b76620-2b7664e call 2b81fac call 2b83750 call 2b7439c 817->818 840 2b76650-2b7665f call 2b825e6 818->840 841 2b7668f-2b76698 call 2b81f74 818->841 842 2b76b53-2b76b67 call 2b77fff 820->842 843 2b769f1-2b76a33 call 2b79721 820->843 821->820 822->817 829 2b765f9-2b7661a call 2b7439c 822->829 829->818 840->841 856 2b76661 840->856 854 2b7669e-2b766b6 call 2b827b5 841->854 855 2b767bb-2b767c8 841->855 842->719 852 2b76b1d-2b76b4e call 2b773e5 call 2b733b2 843->852 853 2b76a39-2b76a40 843->853 852->842 858 2b76a43-2b76a48 853->858 868 2b766c2 854->868 869 2b766b8-2b766c0 call 2b78733 854->869 855->719 860 2b76666-2b76678 call 2b81850 856->860 858->858 863 2b76a4a-2b76a8f call 2b79721 858->863 871 2b7667d-2b7668d call 2b825e6 860->871 872 2b7667a 860->872 863->852 877 2b76a95-2b76a9b 863->877 870 2b766c4-2b76768 call 2b7984b call 2b73863 call 2b75119 call 2b73863 call 2b79af1 call 2b79c0b 868->870 869->870 898 2b7676f-2b7679a Sleep call 2b808f0 870->898 899 2b7676a call 2b7380b 870->899 871->841 871->860 872->871 881 2b76a9e-2b76aa3 877->881 881->881 883 2b76aa5-2b76ae0 call 2b79721 881->883 883->852 889 2b76ae2-2b76b1c call 2b7c113 883->889 889->852 903 2b767a6-2b767b4 898->903 904 2b7679c-2b767a5 call 2b74100 898->904 899->898 903->855 906 2b767b6 call 2b7380b 903->906 904->903 906->855
                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B7649E
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B764AF
                                                                                                            • _malloc.LIBCMT ref: 02B76536
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B76548
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B76554
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$_malloc
                                                                                                            • String ID: <htm$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$auth_ip$auth_swith$block$connect$disconnect$idle$updips$updurls
                                                                                                            • API String ID: 362512214-1437582238
                                                                                                            • Opcode ID: 28d4e71f3ba8827618a77bb03bddfb2eaf973b2fae1a0986d2752078a2b2efe7
                                                                                                            • Instruction ID: ded82eae6737f9c4576aece212ee3d36129df280759b1df6e6d4ed5303063ef1
                                                                                                            • Opcode Fuzzy Hash: 28d4e71f3ba8827618a77bb03bddfb2eaf973b2fae1a0986d2752078a2b2efe7
                                                                                                            • Instruction Fuzzy Hash: EEC1CA326487419FD721AB34AC51BAF7BEADF82718F0404ECF4A9A7292DB71D405CB52
                                                                                                            Function 02B71CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105synchronizationCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02B71D11
                                                                                                            • GetLastError.KERNEL32 ref: 02B71D23
                                                                                                              • Part of subcall function 02B71712: __EH_prolog.LIBCMT ref: 02B71717
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02B71D59
                                                                                                            • GetLastError.KERNEL32 ref: 02B71D6B
                                                                                                            • __beginthreadex.LIBCMT ref: 02B71DB1
                                                                                                            • GetLastError.KERNEL32 ref: 02B71DC6
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B71DDD
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B71DEC
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02B71E14
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B71E1B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
                                                                                                            • String ID: thread$thread.entry_event$thread.exit_event
                                                                                                            • API String ID: 831262434-3017686385
                                                                                                            • Opcode ID: 11d2294ab83ac00b69182229d41fdf88260d9a90e3d7e6b046bbdf2ae9e637d5
                                                                                                            • Instruction ID: 4bb61c794b01c34778632523256fd84776f6d57b8796636bc376f54d63194ede
                                                                                                            • Opcode Fuzzy Hash: 11d2294ab83ac00b69182229d41fdf88260d9a90e3d7e6b046bbdf2ae9e637d5
                                                                                                            • Instruction Fuzzy Hash: 0C316D71A403019FD711EF24C848B6BBBA5EF84790F1049ADF969DB290DB709949CFE2
                                                                                                            Function 02B74D86 Relevance: 16.8, APIs: 11, Instructions: 256COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B74D8B
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B74DB7
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B74DC3
                                                                                                              • Part of subcall function 02B74BED: __EH_prolog.LIBCMT ref: 02B74BF2
                                                                                                              • Part of subcall function 02B74BED: InterlockedExchange.KERNEL32(?,00000000), ref: 02B74CF2
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B74E93
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B74E99
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B74EA0
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B74EA6
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B750A7
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B750AD
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B750B8
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B750C1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
                                                                                                            • String ID:
                                                                                                            • API String ID: 2062355503-0
                                                                                                            • Opcode ID: 2d23a5b4e9a9869379013cffb1a94d689739c5fe6b293a0fc4a8fec74b221c46
                                                                                                            • Instruction ID: 1a170e95c75a802177ecae8477cf4e05c6788e03e083932e9f0c4f514f312e16
                                                                                                            • Opcode Fuzzy Hash: 2d23a5b4e9a9869379013cffb1a94d689739c5fe6b293a0fc4a8fec74b221c46
                                                                                                            • Instruction Fuzzy Hash: 48B14A71D0425DDFEF25DFA0D840BEEBBB5AF04318F14409AE82976280DBB55A89CF91
                                                                                                            Function 00401301 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 187COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1010 401301-40135e FindResourceA 1011 401360-401362 1010->1011 1012 401367-40137d SizeofResource 1010->1012 1013 401538-40153c 1011->1013 1014 401386-4013fe LoadResource LockResource GlobalAlloc call 402490 * 2 1012->1014 1015 40137f-401381 1012->1015 1020 401407-40140b 1014->1020 1015->1013 1021 40140d-40141d 1020->1021 1022 40141f-401428 GetTickCount 1020->1022 1021->1020 1024 401491-401499 1022->1024 1025 40142a-40142e 1022->1025 1026 4014a2-4014a8 1024->1026 1027 401430-401438 1025->1027 1028 40148f 1025->1028 1029 4014f0-401525 GlobalAlloc call 401000 1026->1029 1030 4014aa-4014e8 1026->1030 1031 401441-401447 1027->1031 1028->1029 1040 40152a-401535 1029->1040 1034 4014ea 1030->1034 1035 4014ee 1030->1035 1032 401449-401485 1031->1032 1033 40148d 1031->1033 1037 401487 1032->1037 1038 40148b 1032->1038 1033->1025 1034->1035 1035->1026 1037->1038 1038->1031 1040->1013
                                                                                                            APIs
                                                                                                            • FindResourceA.KERNEL32(?,0000000A), ref: 00401351
                                                                                                            • SizeofResource.KERNEL32(00000000), ref: 00401370
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Resource$FindSizeof
                                                                                                            • String ID:
                                                                                                            • API String ID: 3019604839-3916222277
                                                                                                            • Opcode ID: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                                            • Instruction ID: 779852d327d389dbbb2f1b261a2bb7141e3a4eae573781fe7d13a424a4f3f89b
                                                                                                            • Opcode Fuzzy Hash: d05602b0e20a881077e161112d5bd34232c8f71c7560e683aad862cf59917e15
                                                                                                            • Instruction Fuzzy Hash: F1811075D04258DFDF01CFE8D985AEEBBB0BF09305F1400AAE581B7262C3385A84DB69
                                                                                                            Function 02B726DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92timeCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1042 2b726db-2b72726 RtlEnterCriticalSection 1043 2b7277e-2b72781 1042->1043 1044 2b72728-2b72736 CreateWaitableTimerA 1042->1044 1047 2b727d5-2b727f0 RtlLeaveCriticalSection 1043->1047 1048 2b72783-2b72798 call 2b827b5 1043->1048 1045 2b7275b-2b72778 SetWaitableTimer 1044->1045 1046 2b72738-2b72756 GetLastError call 2b7fb10 call 2b71712 1044->1046 1045->1043 1046->1045 1054 2b727ca 1048->1054 1055 2b7279a-2b727ac call 2b827b5 1048->1055 1056 2b727cc-2b727d0 call 2b76dfe 1054->1056 1060 2b727ae-2b727b7 1055->1060 1061 2b727b9 1055->1061 1056->1047 1062 2b727bb-2b727c3 call 2b71cf8 1060->1062 1061->1062 1064 2b727c8 1062->1064 1064->1056
                                                                                                            APIs
                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02B72706
                                                                                                            • CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02B7272B
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B93163), ref: 02B72738
                                                                                                              • Part of subcall function 02B71712: __EH_prolog.LIBCMT ref: 02B71717
                                                                                                            • SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02B72778
                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02B727D9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                                            • String ID: timer
                                                                                                            • API String ID: 4293676635-1792073242
                                                                                                            • Opcode ID: 85de086db4101f7ffdfd3d8b1e2e4e303288b19c4404456f2eb45ce9c1296f00
                                                                                                            • Instruction ID: 79ad2dd5b95c63c0e8101dd683f56093952d32760479baa0bd86f33a65b21f5c
                                                                                                            • Opcode Fuzzy Hash: 85de086db4101f7ffdfd3d8b1e2e4e303288b19c4404456f2eb45ce9c1296f00
                                                                                                            • Instruction Fuzzy Hash: 9631B0B1944705AFD310DF65DA84B66BBE8FB48764F004A6EF86983A80D770E854CFA1
                                                                                                            Function 02B71BA7 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1176 2b71ba7-2b71bcf call 2b92a00 RtlEnterCriticalSection 1179 2b71bd1 1176->1179 1180 2b71be9-2b71bf7 RtlLeaveCriticalSection call 2b7d32f 1176->1180 1181 2b71bd4-2b71be0 call 2b71b79 1179->1181 1183 2b71bfa-2b71c20 RtlEnterCriticalSection 1180->1183 1188 2b71c55-2b71c6e RtlLeaveCriticalSection 1181->1188 1189 2b71be2-2b71be7 1181->1189 1185 2b71c34-2b71c36 1183->1185 1186 2b71c22-2b71c2f call 2b71b79 1185->1186 1187 2b71c38-2b71c43 1185->1187 1190 2b71c45-2b71c4b 1186->1190 1194 2b71c31 1186->1194 1187->1190 1189->1180 1189->1181 1190->1188 1192 2b71c4d-2b71c51 1190->1192 1192->1188 1194->1185
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B71BAC
                                                                                                            • RtlEnterCriticalSection.NTDLL ref: 02B71BBC
                                                                                                            • RtlLeaveCriticalSection.NTDLL ref: 02B71BEA
                                                                                                            • RtlEnterCriticalSection.NTDLL ref: 02B71C13
                                                                                                            • RtlLeaveCriticalSection.NTDLL ref: 02B71C56
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeave$H_prolog
                                                                                                            • String ID:
                                                                                                            • API String ID: 1633115879-0
                                                                                                            • Opcode ID: 656c3b8f2b6f01c1a78fec11bee8fe8f9d49c440ad3af9797f748f2f0b7f063c
                                                                                                            • Instruction ID: 3e2cef352a2ba3a3826e6c9dc01fe55c34daefdaced2a8d39f583de880f72611
                                                                                                            • Opcode Fuzzy Hash: 656c3b8f2b6f01c1a78fec11bee8fe8f9d49c440ad3af9797f748f2f0b7f063c
                                                                                                            • Instruction Fuzzy Hash: 48219A75A00204AFDB15CF78C84479ABBB9FF48314F20858AEC299B301D771E905CBE0
                                                                                                            Function 02B76BC2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88sleepCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1196 2b76bc2-2b76bd1 1197 2b76b65-2b76b67 1196->1197 1198 2b76bd3-2b76bd5 1196->1198 1199 2b760eb-2b760ed 1197->1199 1200 2b76bd7-2b76be5 1198->1200 1201 2b76c3b-2b76c4b 1198->1201 1203 2b760f6-2b760f8 1199->1203 1204 2b760ef-2b760f4 1199->1204 1202 2b76be6-2b76be8 1200->1202 1201->1202 1205 2b76c4d-2b76c4f 1201->1205 1208 2b76c11-2b76c1d 1202->1208 1209 2b76bea-2b76c0f 1202->1209 1210 2b76105-2b76134 RtlEnterCriticalSection RtlLeaveCriticalSection 1203->1210 1211 2b760fa 1203->1211 1212 2b760ff Sleep 1204->1212 1206 2b76c66-2b76c69 1205->1206 1207 2b76c51-2b76c55 1205->1207 1214 2b76c57-2b76c65 1207->1214 1215 2b76c32-2b76c34 1207->1215 1208->1215 1209->1208 1213 2b76289-2b762b7 1210->1213 1211->1212 1212->1210 1218 2b762b9-2b762bd 1213->1218 1214->1206 1215->1201 1219 2b762bf-2b762c3 1218->1219 1220 2b7632b-2b76331 1218->1220 1221 2b762c5 1219->1221 1222 2b76332 1220->1222 1223 2b76388-2b7638b 1220->1223 1221->1213 1225 2b762c7-2b762c9 1221->1225 1222->1223 1226 2b76334-2b7633e 1222->1226 1224 2b7638e-2b7638f 1223->1224 1227 2b76391 1224->1227 1228 2b7636b-2b76372 1224->1228 1229 2b762ce-2b762d8 1225->1229 1230 2b763b7-2b763c8 1226->1230 1233 2b76395-2b763a2 1227->1233 1231 2b76374-2b76383 1228->1231 1232 2b763e1-2b763e4 1228->1232 1229->1218 1234 2b762da-2b76304 1229->1234 1235 2b763e7 1230->1235 1236 2b763ca-2b763e0 1230->1236 1237 2b76385 1231->1237 1238 2b7635a 1231->1238 1232->1235 1233->1233 1239 2b763a4-2b763b2 1233->1239 1234->1229 1245 2b76306-2b76315 1234->1245 1235->1224 1240 2b763e9-2b76443 1235->1240 1236->1232 1237->1223 1239->1230 1242 2b76445-2b7644b 1240->1242 1243 2b7645f-2b76469 1240->1243 1246 2b76451-2b7645e call 2b7534d 1242->1246 1247 2b7644d-2b7644f 1242->1247 1243->1199 1244 2b7646f-2b76493 call 2b83750 call 2b7439c 1243->1244 1244->1199 1255 2b76499-2b764c4 RtlEnterCriticalSection RtlLeaveCriticalSection call 2b8133c 1244->1255 1245->1221 1250 2b76317-2b76327 1245->1250 1246->1243 1247->1243 1250->1220 1258 2b764c6-2b764d5 call 2b8133c 1255->1258 1259 2b7650e-2b76526 call 2b8133c 1255->1259 1258->1259 1266 2b764d7-2b764e6 call 2b8133c 1258->1266 1264 2b767cd-2b767dc call 2b8133c 1259->1264 1265 2b7652c-2b7652e 1259->1265 1274 2b76821-2b76830 call 2b8133c 1264->1274 1275 2b767de-2b767e0 1264->1275 1265->1264 1268 2b76534-2b765df call 2b81fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2b83750 * 5 call 2b7439c * 2 1265->1268 1266->1259 1273 2b764e8-2b764f7 call 2b8133c 1266->1273 1320 2b765e1-2b765e3 1268->1320 1321 2b7661c 1268->1321 1273->1259 1288 2b764f9-2b76508 call 2b8133c 1273->1288 1286 2b76845-2b76854 call 2b8133c 1274->1286 1287 2b76832-2b7683b call 2b75c0c call 2b75d1a 1274->1287 1275->1274 1279 2b767e2-2b7681c call 2b83750 RtlEnterCriticalSection RtlLeaveCriticalSection 1275->1279 1279->1199 1286->1199 1300 2b7685a-2b7685c 1286->1300 1302 2b76840 1287->1302 1288->1199 1288->1259 1300->1199 1303 2b76862-2b7687b call 2b7439c 1300->1303 1302->1199 1303->1199 1309 2b76881-2b76950 call 2b81418 call 2b71ba7 1303->1309 1318 2b76957-2b76978 RtlEnterCriticalSection 1309->1318 1319 2b76952 call 2b7143f 1309->1319 1324 2b76984-2b769eb RtlLeaveCriticalSection call 2b73c67 call 2b73d7e call 2b77336 1318->1324 1325 2b7697a-2b76981 1318->1325 1319->1318 1320->1321 1326 2b765e5-2b765f7 call 2b8133c 1320->1326 1322 2b76620-2b7664e call 2b81fac call 2b83750 call 2b7439c 1321->1322 1344 2b76650-2b7665f call 2b825e6 1322->1344 1345 2b7668f-2b76698 call 2b81f74 1322->1345 1346 2b76b53-2b76b67 call 2b77fff 1324->1346 1347 2b769f1-2b76a33 call 2b79721 1324->1347 1325->1324 1326->1321 1333 2b765f9-2b7661a call 2b7439c 1326->1333 1333->1322 1344->1345 1360 2b76661 1344->1360 1358 2b7669e-2b766b6 call 2b827b5 1345->1358 1359 2b767bb-2b767c8 1345->1359 1346->1199 1356 2b76b1d-2b76b2e call 2b773e5 1347->1356 1357 2b76a39-2b76a40 1347->1357 1366 2b76b33-2b76b4e call 2b733b2 1356->1366 1362 2b76a43-2b76a48 1357->1362 1372 2b766c2 1358->1372 1373 2b766b8-2b766c0 call 2b78733 1358->1373 1359->1199 1364 2b76666-2b76678 call 2b81850 1360->1364 1362->1362 1367 2b76a4a-2b76a8f call 2b79721 1362->1367 1375 2b7667d-2b7668d call 2b825e6 1364->1375 1376 2b7667a 1364->1376 1366->1346 1367->1356 1381 2b76a95-2b76a9b 1367->1381 1374 2b766c4-2b76752 call 2b7984b call 2b73863 call 2b75119 call 2b73863 call 2b79af1 call 2b79c0b 1372->1374 1373->1374 1401 2b76757-2b76768 1374->1401 1375->1345 1375->1364 1376->1375 1385 2b76a9e-2b76aa3 1381->1385 1385->1385 1387 2b76aa5-2b76ae0 call 2b79721 1385->1387 1387->1356 1393 2b76ae2-2b76b16 call 2b7c113 1387->1393 1397 2b76b1b-2b76b1c 1393->1397 1397->1356 1402 2b7676f-2b7679a Sleep call 2b808f0 1401->1402 1403 2b7676a call 2b7380b 1401->1403 1407 2b767a6-2b767b4 1402->1407 1408 2b7679c-2b767a5 call 2b74100 1402->1408 1403->1402 1407->1359 1410 2b767b6 call 2b7380b 1407->1410 1408->1407 1410->1359
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(0000EA60), ref: 02B760FF
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B7610A
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B7611B
                                                                                                            Strings
                                                                                                            • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02B76124
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeaveSleep
                                                                                                            • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            • API String ID: 1566154052-1923541051
                                                                                                            • Opcode ID: 241515ec224f5ca02185e13032a98caa5d2c65f122a507cb52414cacdcb594ae
                                                                                                            • Instruction ID: 8bd0e50840bebe649faa6a0a2990f5a0c97f79a21253ea2b43e3bbd78949d667
                                                                                                            • Opcode Fuzzy Hash: 241515ec224f5ca02185e13032a98caa5d2c65f122a507cb52414cacdcb594ae
                                                                                                            • Instruction Fuzzy Hash: B7219D32488B90CFE721AF34A8477D2BBF5EF1A704B4805CDE1E297112DB615105CB82
                                                                                                            Function 00401DA5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62registryCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1413 401da5-401da8 1414 401daa 1413->1414 1415 401e0b-401e16 1413->1415 1416 401d95-401d9d RegOpenKeyExA 1414->1416 1417 401dac-401dc9 1414->1417 1418 401f4e-40209b SetEvent 1415->1418 1420 401dd6-401ddd 1417->1420 1421 401dcb-40d5f4 1417->1421 1424 40dc3a-40dc4d 1418->1424 1420->1418 1421->1424 1425 40dc52 1424->1425 1425->1425
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: EventOpen
                                                                                                            • String ID: 'l3k$.exe
                                                                                                            • API String ID: 3658969616-2632659021
                                                                                                            • Opcode ID: 91863bf70a53044422b0483ecfc40545a46aab5f930189fa63745c934b42f44f
                                                                                                            • Instruction ID: 866a35bc240b9fc6576fee2ec2866792a1cd1e7454ba96a004f15cac11a8e27f
                                                                                                            • Opcode Fuzzy Hash: 91863bf70a53044422b0483ecfc40545a46aab5f930189fa63745c934b42f44f
                                                                                                            • Instruction Fuzzy Hash: 30115730608641CBE3119B209F443A737B8AB52341F6444BACC87F61A1C73C894A864E
                                                                                                            Function 02B76BB4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33sleepCOMMON
                                                                                                            Download Yara Rule

                                                                                                            Control-flow Graph

                                                                                                            • Executed
                                                                                                            • Not Executed
                                                                                                            control_flow_graph 1426 2b76bb4-2b76bb6 1427 2b76b3e-2b76b4b 1426->1427 1428 2b76bb8-2b76bbf 1426->1428 1429 2b76b53-2b76b67 call 2b77fff 1427->1429 1430 2b76b4e call 2b733b2 1427->1430 1433 2b760eb-2b760ed 1429->1433 1430->1429 1434 2b760f6-2b760f8 1433->1434 1435 2b760ef-2b760f4 1433->1435 1436 2b76105-2b76134 RtlEnterCriticalSection RtlLeaveCriticalSection 1434->1436 1437 2b760fa 1434->1437 1438 2b760ff Sleep 1435->1438 1439 2b76289-2b762b7 1436->1439 1437->1438 1438->1436 1441 2b762b9-2b762bd 1439->1441 1442 2b762bf-2b762c3 1441->1442 1443 2b7632b-2b76331 1441->1443 1444 2b762c5 1442->1444 1445 2b76332 1443->1445 1446 2b76388-2b7638b 1443->1446 1444->1439 1448 2b762c7-2b762c9 1444->1448 1445->1446 1449 2b76334-2b7633e 1445->1449 1447 2b7638e-2b7638f 1446->1447 1450 2b76391 1447->1450 1451 2b7636b-2b76372 1447->1451 1452 2b762ce-2b762d8 1448->1452 1453 2b763b7-2b763c8 1449->1453 1456 2b76395-2b763a2 1450->1456 1454 2b76374-2b76383 1451->1454 1455 2b763e1-2b763e4 1451->1455 1452->1441 1457 2b762da-2b76304 1452->1457 1458 2b763e7 1453->1458 1459 2b763ca-2b763e0 1453->1459 1460 2b76385 1454->1460 1461 2b7635a 1454->1461 1455->1458 1456->1456 1462 2b763a4-2b763b2 1456->1462 1457->1452 1468 2b76306-2b76315 1457->1468 1458->1447 1463 2b763e9-2b76443 1458->1463 1459->1455 1460->1446 1462->1453 1465 2b76445-2b7644b 1463->1465 1466 2b7645f-2b76469 1463->1466 1469 2b76451-2b7645e call 2b7534d 1465->1469 1470 2b7644d-2b7644f 1465->1470 1466->1433 1467 2b7646f-2b76493 call 2b83750 call 2b7439c 1466->1467 1467->1433 1478 2b76499-2b764c4 RtlEnterCriticalSection RtlLeaveCriticalSection call 2b8133c 1467->1478 1468->1444 1473 2b76317-2b76327 1468->1473 1469->1466 1470->1466 1473->1443 1481 2b764c6-2b764d5 call 2b8133c 1478->1481 1482 2b7650e-2b76526 call 2b8133c 1478->1482 1481->1482 1489 2b764d7-2b764e6 call 2b8133c 1481->1489 1487 2b767cd-2b767dc call 2b8133c 1482->1487 1488 2b7652c-2b7652e 1482->1488 1497 2b76821-2b76830 call 2b8133c 1487->1497 1498 2b767de-2b767e0 1487->1498 1488->1487 1491 2b76534-2b765df call 2b81fac RtlEnterCriticalSection RtlLeaveCriticalSection call 2b83750 * 5 call 2b7439c * 2 1488->1491 1489->1482 1496 2b764e8-2b764f7 call 2b8133c 1489->1496 1543 2b765e1-2b765e3 1491->1543 1544 2b7661c 1491->1544 1496->1482 1511 2b764f9-2b76508 call 2b8133c 1496->1511 1509 2b76845-2b76854 call 2b8133c 1497->1509 1510 2b76832-2b76840 call 2b75c0c call 2b75d1a 1497->1510 1498->1497 1502 2b767e2-2b7681c call 2b83750 RtlEnterCriticalSection RtlLeaveCriticalSection 1498->1502 1502->1433 1509->1433 1523 2b7685a-2b7685c 1509->1523 1510->1433 1511->1433 1511->1482 1523->1433 1526 2b76862-2b7687b call 2b7439c 1523->1526 1526->1433 1532 2b76881-2b76950 call 2b81418 call 2b71ba7 1526->1532 1541 2b76957-2b76978 RtlEnterCriticalSection 1532->1541 1542 2b76952 call 2b7143f 1532->1542 1547 2b76984-2b769eb RtlLeaveCriticalSection call 2b73c67 call 2b73d7e call 2b77336 1541->1547 1548 2b7697a-2b76981 1541->1548 1542->1541 1543->1544 1549 2b765e5-2b765f7 call 2b8133c 1543->1549 1545 2b76620-2b7664e call 2b81fac call 2b83750 call 2b7439c 1544->1545 1567 2b76650-2b7665f call 2b825e6 1545->1567 1568 2b7668f-2b76698 call 2b81f74 1545->1568 1547->1429 1569 2b769f1-2b76a33 call 2b79721 1547->1569 1548->1547 1549->1544 1556 2b765f9-2b7661a call 2b7439c 1549->1556 1556->1545 1567->1568 1580 2b76661 1567->1580 1578 2b7669e-2b766b6 call 2b827b5 1568->1578 1579 2b767bb-2b767c8 1568->1579 1576 2b76b1d-2b76b4e call 2b773e5 call 2b733b2 1569->1576 1577 2b76a39-2b76a40 1569->1577 1576->1429 1582 2b76a43-2b76a48 1577->1582 1592 2b766c2 1578->1592 1593 2b766b8-2b766c0 call 2b78733 1578->1593 1579->1433 1584 2b76666-2b76678 call 2b81850 1580->1584 1582->1582 1587 2b76a4a-2b76a8f call 2b79721 1582->1587 1595 2b7667d-2b7668d call 2b825e6 1584->1595 1596 2b7667a 1584->1596 1587->1576 1601 2b76a95-2b76a9b 1587->1601 1594 2b766c4-2b76768 call 2b7984b call 2b73863 call 2b75119 call 2b73863 call 2b79af1 call 2b79c0b 1592->1594 1593->1594 1622 2b7676f-2b7679a Sleep call 2b808f0 1594->1622 1623 2b7676a call 2b7380b 1594->1623 1595->1568 1595->1584 1596->1595 1605 2b76a9e-2b76aa3 1601->1605 1605->1605 1607 2b76aa5-2b76ae0 call 2b79721 1605->1607 1607->1576 1613 2b76ae2-2b76b1c call 2b7c113 1607->1613 1613->1576 1627 2b767a6-2b767b4 1622->1627 1628 2b7679c-2b767a5 call 2b74100 1622->1628 1623->1622 1627->1579 1630 2b767b6 call 2b7380b 1627->1630 1628->1627 1630->1579
                                                                                                            APIs
                                                                                                            • Sleep.KERNEL32(0000EA60), ref: 02B760FF
                                                                                                            • RtlEnterCriticalSection.NTDLL(02BA4FD0), ref: 02B7610A
                                                                                                            • RtlLeaveCriticalSection.NTDLL(02BA4FD0), ref: 02B7611B
                                                                                                            Strings
                                                                                                            • Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02B76124
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterLeaveSleep
                                                                                                            • String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
                                                                                                            • API String ID: 1566154052-1923541051
                                                                                                            • Opcode ID: 46edf5d40ff4b2ac7b62a265aa72e955dd43e5770411345c317444d93755624b
                                                                                                            • Instruction ID: d2c126c628fa9f1e8d34398be3750a4a195770aa53142f500ee9759700e0dfbf
                                                                                                            • Opcode Fuzzy Hash: 46edf5d40ff4b2ac7b62a265aa72e955dd43e5770411345c317444d93755624b
                                                                                                            • Instruction Fuzzy Hash: C9F0C2315887808FD3329B20E955AEAB7A4BF05308F4405D9E1AA8B191CFB19459CB82
                                                                                                            Function 00402A20 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetVersion.KERNEL32 ref: 00402A46
                                                                                                              • Part of subcall function 00403B64: HeapCreate.KERNEL32(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                                              • Part of subcall function 00403B64: HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                                            • GetCommandLineA.KERNEL32 ref: 00402A94
                                                                                                            • GetStartupInfoA.KERNEL32(?), ref: 00402ABF
                                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00402AE2
                                                                                                              • Part of subcall function 00402B3B: ExitProcess.KERNEL32 ref: 00402B58
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                                                                            • String ID:
                                                                                                            • API String ID: 2057626494-0
                                                                                                            • Opcode ID: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                                            • Instruction ID: 5f87248e4510ca7a7a053da507506fe2897125482441b09741c869e2758f94b2
                                                                                                            • Opcode Fuzzy Hash: 81c04d43b3f46c58329c6832fe0805ef85b64df99fa32ea28edf2ad19d5a1781
                                                                                                            • Instruction Fuzzy Hash: BA214CB19006159ADB04AFA6DE49A6E7FA8EB04715F10413FF905BB2D1DB384900CA6C
                                                                                                            Function 02B72EDD Relevance: 6.0, APIs: 4, Instructions: 49networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B72EEE
                                                                                                            • WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02B72EFD
                                                                                                            • WSAGetLastError.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02B72F0C
                                                                                                            • setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02B72F36
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$Socketsetsockopt
                                                                                                            • String ID:
                                                                                                            • API String ID: 2093263913-0
                                                                                                            • Opcode ID: e9cccc016c369de61cc8c38ebf1813eaae978b719d37603fb384451fe3808dff
                                                                                                            • Instruction ID: 360e527a1d3d8901955c09e161dc63cfb56891708b2c194bbb803f95ebb37c68
                                                                                                            • Opcode Fuzzy Hash: e9cccc016c369de61cc8c38ebf1813eaae978b719d37603fb384451fe3808dff
                                                                                                            • Instruction Fuzzy Hash: A2018871A40214BBDB205F65DC88F9B7BA9DB857B1F108965FD18CB241D77089008BB0
                                                                                                            Function 02B72DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 02B72D39: WSASetLastError.WS2_32(00000000), ref: 02B72D47
                                                                                                              • Part of subcall function 02B72D39: WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02B72D5C
                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B72E6D
                                                                                                            • select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02B72E83
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$Sendselect
                                                                                                            • String ID: 3'
                                                                                                            • API String ID: 2958345159-280543908
                                                                                                            • Opcode ID: 31e352975db3a40108155fa50df071a5285f37db6551579c3c01748b013f7553
                                                                                                            • Instruction ID: ccf557cbe3ae950c2776762da5efbbf4e4dcbeb340753466498905ec740a3653
                                                                                                            • Opcode Fuzzy Hash: 31e352975db3a40108155fa50df071a5285f37db6551579c3c01748b013f7553
                                                                                                            • Instruction Fuzzy Hash: E131AEB1E00209AFDF10DFA4D824BEEBBBAEF05354F1049DADC2997240EB7595518FA0
                                                                                                            Function 02B72AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B72AEA
                                                                                                            • connect.WS2_32(?,?,?), ref: 02B72AF5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastconnect
                                                                                                            • String ID: 3'
                                                                                                            • API String ID: 374722065-280543908
                                                                                                            • Opcode ID: 7947c484369b926c1e997c2041c16d88c07945814cd5f1b2fc8d8c22beb68f51
                                                                                                            • Instruction ID: 1191c88e298dd3b8aefc0e31403b14ff6c264ce433c214627fdac22ed67c6750
                                                                                                            • Opcode Fuzzy Hash: 7947c484369b926c1e997c2041c16d88c07945814cd5f1b2fc8d8c22beb68f51
                                                                                                            • Instruction Fuzzy Hash: 49218475E00214ABDF14AFB8D4147AEBBBAEF44364F1085D9DC39A7380EB745A058FA1
                                                                                                            Function 00402337 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegSetValueExA.KERNEL32(?,classic_home_cinema_i56,00000000), ref: 004022EC
                                                                                                            • RegCloseKey.KERNEL32(?), ref: 0040DC57
                                                                                                            Strings
                                                                                                            • C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe, xrefs: 0040235C, 0040D73B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseValue
                                                                                                            • String ID: C:\ProgramData\ClassicHomeCinema\ClassicHomeCinema.exe
                                                                                                            • API String ID: 3132538880-1803433813
                                                                                                            • Opcode ID: 4641593bd5b9a3a0876b7d8202a09f3115f7eab90c517f239208f8895dcf671e
                                                                                                            • Instruction ID: b1a5d16bc2ceaa1898fa32fc664c1ab5dfaf230487324fad3e5fab9b3683b2a9
                                                                                                            • Opcode Fuzzy Hash: 4641593bd5b9a3a0876b7d8202a09f3115f7eab90c517f239208f8895dcf671e
                                                                                                            • Instruction Fuzzy Hash: 3811E12190D6808FC7455B64AF60AA63BB4A706344F1511BFE586B72A3D67C080EEB5F
                                                                                                            Function 004017DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegSetValueExA.KERNEL32(?,classic_home_cinema_i56,00000000), ref: 004022EC
                                                                                                            • RegCloseKey.KERNEL32(?), ref: 0040DC57
                                                                                                            Strings
                                                                                                            • classic_home_cinema_i56, xrefs: 00401E76
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseValue
                                                                                                            • String ID: classic_home_cinema_i56
                                                                                                            • API String ID: 3132538880-2700033101
                                                                                                            • Opcode ID: 4287fdbf53fc794595f1aed1c1d10a152eebe4ca104611573b2e0ccfdb467f27
                                                                                                            • Instruction ID: abb10eb6e4bb699019dab5373a34cee33de05093fc496e8c800fed89ae831c8e
                                                                                                            • Opcode Fuzzy Hash: 4287fdbf53fc794595f1aed1c1d10a152eebe4ca104611573b2e0ccfdb467f27
                                                                                                            • Instruction Fuzzy Hash: 630181319095848FD7554B64AF65BE63B74E316340F1100BAE586772B3D63C0D4AEB1F
                                                                                                            Function 00401E73 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegSetValueExA.KERNEL32(?,classic_home_cinema_i56,00000000), ref: 004022EC
                                                                                                            • RegCloseKey.KERNEL32(?), ref: 0040DC57
                                                                                                            Strings
                                                                                                            • classic_home_cinema_i56, xrefs: 00401E76
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CloseValue
                                                                                                            • String ID: classic_home_cinema_i56
                                                                                                            • API String ID: 3132538880-2700033101
                                                                                                            • Opcode ID: 75121968fd5ef4a19553090efa96eea6fe73361e7bcf2ad820954a38ba505515
                                                                                                            • Instruction ID: 36ff87731a71f486ac3fab46f0b3d8485277f928bed09576c9e55bbfb23ba6dd
                                                                                                            • Opcode Fuzzy Hash: 75121968fd5ef4a19553090efa96eea6fe73361e7bcf2ad820954a38ba505515
                                                                                                            • Instruction Fuzzy Hash: FD01D1315095808FC7418BA4AF60AE63B74E306300B1000BAE186772B3D63C0D5AEF1E
                                                                                                            Function 02B7353E Relevance: 4.6, APIs: 3, Instructions: 127COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog
                                                                                                            • String ID:
                                                                                                            • API String ID: 3519838083-0
                                                                                                            • Opcode ID: 8b39964a58640550d03acb4ea8399909a03bfa3a7dfa1d7244a8630608a6b54d
                                                                                                            • Instruction ID: ed8911c5005759907e2f8b9dfe610e0b955aa2a8d37febd11bf8af866e94a30e
                                                                                                            • Opcode Fuzzy Hash: 8b39964a58640550d03acb4ea8399909a03bfa3a7dfa1d7244a8630608a6b54d
                                                                                                            • Instruction Fuzzy Hash: CA5129B1A04216DFCB19DF68D5506AABBF1FF08320F14819EE8299B380D775D911CFA1
                                                                                                            Function 02B7369A Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02B736A7
                                                                                                              • Part of subcall function 02B72420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02B72432
                                                                                                              • Part of subcall function 02B72420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02B72445
                                                                                                              • Part of subcall function 02B72420: RtlEnterCriticalSection.NTDLL(?), ref: 02B72454
                                                                                                              • Part of subcall function 02B72420: InterlockedExchange.KERNEL32(?,00000001), ref: 02B72469
                                                                                                              • Part of subcall function 02B72420: RtlLeaveCriticalSection.NTDLL(?), ref: 02B72470
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 1601054111-0
                                                                                                            • Opcode ID: b751d4d44c1fa634e45d68ec872d0e968173e5590ab8a5dc1d54b62b6d1f1457
                                                                                                            • Instruction ID: 9a1f1a1bbbfae1f81c64104089d8e08120d786a113ba1a9c4fcdc8c88302cb97
                                                                                                            • Opcode Fuzzy Hash: b751d4d44c1fa634e45d68ec872d0e968173e5590ab8a5dc1d54b62b6d1f1457
                                                                                                            • Instruction Fuzzy Hash: E711E3B5204208ABDF218F14CC85FAA3BE9EF44354F104496FE62CB2D0C774D960EB94
                                                                                                            Function 02B810F0 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __beginthreadex.LIBCMT ref: 02B81106
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000002,02B79985,00000000), ref: 02B81137
                                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,00000002,02B79985,00000000), ref: 02B81145
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandleResumeThread__beginthreadex
                                                                                                            • String ID:
                                                                                                            • API String ID: 1685284544-0
                                                                                                            • Opcode ID: 90724cf5f027ee233bd7cf7c644efeff01c3fc2cc1d386f93f5b21ad25533b3b
                                                                                                            • Instruction ID: 24a33ac9e3b3cc21496bfc1e82aba22c05e83bc5628eb810f7870c09685c3db4
                                                                                                            • Opcode Fuzzy Hash: 90724cf5f027ee233bd7cf7c644efeff01c3fc2cc1d386f93f5b21ad25533b3b
                                                                                                            • Instruction Fuzzy Hash: BEF06271251200ABEB20AE5CDC80FA5B3E8EF48725F2405AAF55CD7290C7B1A892DB90
                                                                                                            Function 02B71AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InterlockedIncrement.KERNEL32(02BA529C), ref: 02B71ABA
                                                                                                            • WSAStartup.WS2_32(00000002,00000000), ref: 02B71ACB
                                                                                                            • InterlockedExchange.KERNEL32(02BA52A0,00000000), ref: 02B71AD7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Interlocked$ExchangeIncrementStartup
                                                                                                            • String ID:
                                                                                                            • API String ID: 1856147945-0
                                                                                                            • Opcode ID: 421b3a8b914bbac40c930764e3b6b34eb7d8fdea6bf8259499c295ab1379bb7d
                                                                                                            • Instruction ID: d023bc6a47f51d2c28a9309cd87499a5c6c1b68ee80f91842b2e69b80e6d4f23
                                                                                                            • Opcode Fuzzy Hash: 421b3a8b914bbac40c930764e3b6b34eb7d8fdea6bf8259499c295ab1379bb7d
                                                                                                            • Instruction Fuzzy Hash: 6ED05E31DC83085FE23166A4AE1EABC776CD705712FC00691FEB9C61C0EA52662087A6
                                                                                                            Function 02B74BED Relevance: 3.1, APIs: 2, Instructions: 137COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B74BF2
                                                                                                              • Part of subcall function 02B71BA7: __EH_prolog.LIBCMT ref: 02B71BAC
                                                                                                              • Part of subcall function 02B71BA7: RtlEnterCriticalSection.NTDLL ref: 02B71BBC
                                                                                                              • Part of subcall function 02B71BA7: RtlLeaveCriticalSection.NTDLL ref: 02B71BEA
                                                                                                              • Part of subcall function 02B71BA7: RtlEnterCriticalSection.NTDLL ref: 02B71C13
                                                                                                              • Part of subcall function 02B71BA7: RtlLeaveCriticalSection.NTDLL ref: 02B71C56
                                                                                                              • Part of subcall function 02B7D0F7: __EH_prolog.LIBCMT ref: 02B7D0FC
                                                                                                              • Part of subcall function 02B7D0F7: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02B7D17B
                                                                                                            • InterlockedExchange.KERNEL32(?,00000000), ref: 02B74CF2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
                                                                                                            • String ID:
                                                                                                            • API String ID: 1927618982-0
                                                                                                            • Opcode ID: 433ad575a72b900bde3bfe2ea2e65a70313bd0d2d44346d5fdc4afccd632c5cb
                                                                                                            • Instruction ID: b95152c4ff3783777943a59e2aa34bba1c6e870debcf3816dc7db872062d3926
                                                                                                            • Opcode Fuzzy Hash: 433ad575a72b900bde3bfe2ea2e65a70313bd0d2d44346d5fdc4afccd632c5cb
                                                                                                            • Instruction Fuzzy Hash: E6511771D04248DFDB15DFA8C494AEEFBB5EF08314F1481AAE965AB352DB309A44CF90
                                                                                                            Function 00401807 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrcmpiW.KERNEL32(?,00409178), ref: 00401812
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmpi
                                                                                                            • String ID: hq~N
                                                                                                            • API String ID: 1586166983-2856139384
                                                                                                            • Opcode ID: 1408b6bc1364a524a577bb1ecb9208685e1e78e33e21863dad005ec10d89d2c5
                                                                                                            • Instruction ID: 02c9e1440662b1061e397cefb6380b0f254cf22eb9495d952fe0c81fe0b57e01
                                                                                                            • Opcode Fuzzy Hash: 1408b6bc1364a524a577bb1ecb9208685e1e78e33e21863dad005ec10d89d2c5
                                                                                                            • Instruction Fuzzy Hash: 0D212430918285CBC7109BA9EE547E63BB0B706300F5481B5D585B62B3C33C8D4AEB0C
                                                                                                            Function 02B72D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B72D47
                                                                                                            • WSASend.WS2_32(?,?,?,?,00000000,00000000,00000000), ref: 02B72D5C
                                                                                                              • Part of subcall function 02B79505: WSAGetLastError.WS2_32(00000000,?,?,02B72A51), ref: 02B79513
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLast$Send
                                                                                                            • String ID:
                                                                                                            • API String ID: 1282938840-0
                                                                                                            • Opcode ID: 1ef93513c87e0558e31aa316e337326dd27797f272a26599073c411357d88d23
                                                                                                            • Instruction ID: d9b845deb46e3f54a7f198efcccc6b50c47190764b662e7bf4504135cb654123
                                                                                                            • Opcode Fuzzy Hash: 1ef93513c87e0558e31aa316e337326dd27797f272a26599073c411357d88d23
                                                                                                            • Instruction Fuzzy Hash: 910184B5504205AFD7205FA9D84496BBBFDEF453A4B2009AEECA993300EB709D408B61
                                                                                                            Function 00401B83 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • lstrcmpiW.KERNEL32(?,00409178), ref: 00401812
                                                                                                            Strings
                                                                                                            • C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe, xrefs: 00401B92
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: lstrcmpi
                                                                                                            • String ID: C:\Users\user\AppData\Local\Classic Home Cinema 2.1.12\classichomecinema.exe
                                                                                                            • API String ID: 1586166983-2063213804
                                                                                                            • Opcode ID: 73f53f1329700b03cf39f3da3dd474ad4c5c296959517e005705f258587d62e8
                                                                                                            • Instruction ID: 37889ca4e6f963634dbb771ac37cc27f8cb514cf9ce9245705ad4c9862584455
                                                                                                            • Opcode Fuzzy Hash: 73f53f1329700b03cf39f3da3dd474ad4c5c296959517e005705f258587d62e8
                                                                                                            • Instruction Fuzzy Hash: 79014B31D10205CBD7109B59DE88B9977B4FB0A341F2080BAE549F62E1DB789E4ADB4C
                                                                                                            Function 02B773E5 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B77402
                                                                                                            • shutdown.WS2_32(?,00000002), ref: 02B7740B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastshutdown
                                                                                                            • String ID:
                                                                                                            • API String ID: 1920494066-0
                                                                                                            • Opcode ID: ce5fc842f2cba506c31ab78968928b76e97f2e36c947b7e91ddb5a319b282718
                                                                                                            • Instruction ID: 01586fc9f5c82c703518cdad9ff0329731a74a5d9a229cee9a3c752d23984f48
                                                                                                            • Opcode Fuzzy Hash: ce5fc842f2cba506c31ab78968928b76e97f2e36c947b7e91ddb5a319b282718
                                                                                                            • Instruction Fuzzy Hash: EAF0B431A043108FC7209F28D814B5ABBE5EF09365F118899ED6597380DB30AC10CF95
                                                                                                            Function 00403B64 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • HeapCreate.KERNEL32(00000000,00001000,00000000,00402A7F,00000000), ref: 00403B75
                                                                                                              • Part of subcall function 00403A1C: GetVersionExA.KERNEL32 ref: 00403A3B
                                                                                                            • HeapDestroy.KERNEL32 ref: 00403BB4
                                                                                                              • Part of subcall function 00403F3B: HeapAlloc.KERNEL32(00000000,00000140,00403B9D,000003F8), ref: 00403F48
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Heap$AllocCreateDestroyVersion
                                                                                                            • String ID:
                                                                                                            • API String ID: 2507506473-0
                                                                                                            • Opcode ID: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                                            • Instruction ID: 13181fdbc77bd6b5762d4953551df96dffaf81345f3f43d3ea23e6f05a00c699
                                                                                                            • Opcode Fuzzy Hash: 41655e9e9c0e703031797a4b7b8f832f06af8b7de0b6b38e25141203e3b9edaa
                                                                                                            • Instruction Fuzzy Hash: 58F065706547029ADB101F319E4572A3EA89B4075BF10447FFD00F51D1EFBC9784951D
                                                                                                            Function 004017B6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNEL32 ref: 004017B6
                                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040D6C4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Module$FileHandleName
                                                                                                            • String ID:
                                                                                                            • API String ID: 4146042529-0
                                                                                                            • Opcode ID: 9513f0d58d9d65b3575befd1c8c58b3fb498bf4428a0073a9b652332c389f35d
                                                                                                            • Instruction ID: 12695722d95fbdf996fae137bc770e72cd195ed4a5ec6d2760f580e32442abde
                                                                                                            • Opcode Fuzzy Hash: 9513f0d58d9d65b3575befd1c8c58b3fb498bf4428a0073a9b652332c389f35d
                                                                                                            • Instruction Fuzzy Hash: 32D01274C08206FFD7009BF08F589A9367CB714305B118476B587F31E0CA79550D9A39
                                                                                                            Function 02B75119 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B7511E
                                                                                                              • Part of subcall function 02B73D7E: htons.WS2_32(?), ref: 02B73DA2
                                                                                                              • Part of subcall function 02B73D7E: htonl.WS2_32(00000000), ref: 02B73DB9
                                                                                                              • Part of subcall function 02B73D7E: htonl.WS2_32(00000000), ref: 02B73DC0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: htonl$H_prologhtons
                                                                                                            • String ID:
                                                                                                            • API String ID: 4039807196-0
                                                                                                            • Opcode ID: 924eef98088b020bfcc7d89e8c6a11b53776547579e11b853187fc3beb6c53b3
                                                                                                            • Instruction ID: ef2ed8617711d59185a723c3a2167d5695946dc6407bb906c20f46d02895f5e8
                                                                                                            • Opcode Fuzzy Hash: 924eef98088b020bfcc7d89e8c6a11b53776547579e11b853187fc3beb6c53b3
                                                                                                            • Instruction Fuzzy Hash: 8A8147B1D0424ECECF15DFA8D480AEEBBB5EF48314F20819AD861B7240EB755A45CFA4
                                                                                                            Function 02B7D9C0 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B7D9C5
                                                                                                              • Part of subcall function 02B71A01: TlsGetValue.KERNEL32 ref: 02B71A0A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prologValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3700342317-0
                                                                                                            • Opcode ID: 6463bb8a93f1611857dc66630c5ec2fcdd64d2a5a5c292e1236d29ae9efac8fc
                                                                                                            • Instruction ID: dfb862cd52facc91b28523ae3813e965ec34f39238321692d370f02b84375434
                                                                                                            • Opcode Fuzzy Hash: 6463bb8a93f1611857dc66630c5ec2fcdd64d2a5a5c292e1236d29ae9efac8fc
                                                                                                            • Instruction Fuzzy Hash: D52133B2D0420AAFDB04DF99D540AEEBBF9FF49350F10416EE924A7240D771A900CBA1
                                                                                                            Function 004018C3 Relevance: 1.6, APIs: 1, Instructions: 58registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Create
                                                                                                            • String ID:
                                                                                                            • API String ID: 2289755597-0
                                                                                                            • Opcode ID: 0fd94987bcb25d7c377d2996674c6c4ad75bd9d17f6e3ebe7861f22310b9b88b
                                                                                                            • Instruction ID: b943bf9dd02f481aa5c205b1905e0ba4ea34cd51cd036043cf3558cfe0d4bd24
                                                                                                            • Opcode Fuzzy Hash: 0fd94987bcb25d7c377d2996674c6c4ad75bd9d17f6e3ebe7861f22310b9b88b
                                                                                                            • Instruction Fuzzy Hash: F311E365A0D6818FC7018B74AF606E23BB4A716340B8410BAD0DAA7273D63C4D47EB1E
                                                                                                            Function 02B7D550 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B7D555
                                                                                                              • Part of subcall function 02B726DB: RtlEnterCriticalSection.NTDLL(?), ref: 02B72706
                                                                                                              • Part of subcall function 02B726DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02B7272B
                                                                                                              • Part of subcall function 02B726DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02B93163), ref: 02B72738
                                                                                                              • Part of subcall function 02B726DB: SetWaitableTimer.KERNEL32(?,?,000493E0,00000000,00000000,00000000), ref: 02B72778
                                                                                                              • Part of subcall function 02B726DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02B727D9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
                                                                                                            • String ID:
                                                                                                            • API String ID: 4293676635-0
                                                                                                            • Opcode ID: 3ca21315a5c08c8294483c9b7ad5bc819a6b4e93810af1bb9e46268eb0705225
                                                                                                            • Instruction ID: b42c1a978ae1320f9b123974bec664d9b6c7e84ad378493b372550d163cfdfb4
                                                                                                            • Opcode Fuzzy Hash: 3ca21315a5c08c8294483c9b7ad5bc819a6b4e93810af1bb9e46268eb0705225
                                                                                                            • Instruction Fuzzy Hash: F701BCB1900B049FCB28CF0AD54095ABBE5AF89300B15C5AED8598B322E370EA40CF90
                                                                                                            Function 02C0AE8A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SHGetSpecialFolderPathA.SHELL32(1236CE87), ref: 02C0BE9E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002BA8000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BA8000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2ba8000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: FolderPathSpecial
                                                                                                            • String ID:
                                                                                                            • API String ID: 994120019-0
                                                                                                            • Opcode ID: 90950c960c940b3525c24f9aff16871e5cb426a099ea5d66c244fbc28d855037
                                                                                                            • Instruction ID: f4c85976340c5c0a738898218b3891775668169c8576196f103b2d32ff98ac83
                                                                                                            • Opcode Fuzzy Hash: 90950c960c940b3525c24f9aff16871e5cb426a099ea5d66c244fbc28d855037
                                                                                                            • Instruction Fuzzy Hash: 16F0E5B2C4C214EFE3117AA4DC851AAFBA4FB08350F160818DBE543550E7711960DBC3
                                                                                                            Function 02B7D32F Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B7D334
                                                                                                              • Part of subcall function 02B827B5: _malloc.LIBCMT ref: 02B827CD
                                                                                                              • Part of subcall function 02B7D550: __EH_prolog.LIBCMT ref: 02B7D555
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog$_malloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 4254904621-0
                                                                                                            • Opcode ID: 59bd84d161a8b49f23d9f82abef96a3e4c1f8c1073e4883fde6b1edcc11a43da
                                                                                                            • Instruction ID: 37667ad792876cf3e346a260250ef555e69d9d4f60927ce7be9e1d18e5cc6025
                                                                                                            • Opcode Fuzzy Hash: 59bd84d161a8b49f23d9f82abef96a3e4c1f8c1073e4883fde6b1edcc11a43da
                                                                                                            • Instruction Fuzzy Hash: A0E0EC76A45146ABDF1DEF68981176E77B6EF44340F0085EDA81ED6640EB7099008A54
                                                                                                            Function 02B82452 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 02B848BA: __getptd_noexit.LIBCMT ref: 02B848BB
                                                                                                              • Part of subcall function 02B848BA: __amsg_exit.LIBCMT ref: 02B848C8
                                                                                                              • Part of subcall function 02B82493: __getptd_noexit.LIBCMT ref: 02B82497
                                                                                                              • Part of subcall function 02B82493: __freeptd.LIBCMT ref: 02B824B1
                                                                                                              • Part of subcall function 02B82493: RtlExitUserThread.NTDLL(?,00000000,?,02B82473,00000000), ref: 02B824BA
                                                                                                            • __XcptFilter.LIBCMT ref: 02B8247F
                                                                                                              • Part of subcall function 02B87944: __getptd_noexit.LIBCMT ref: 02B87948
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
                                                                                                            • String ID:
                                                                                                            • API String ID: 1405322794-0
                                                                                                            • Opcode ID: bfc8fbbd416fbbfa8bf37a4454731ab264234a5aed284ae27df6681188c4670c
                                                                                                            • Instruction ID: f84147da784e7c7da17c7090a002a7619207f700592266825994104e3f33a96b
                                                                                                            • Opcode Fuzzy Hash: bfc8fbbd416fbbfa8bf37a4454731ab264234a5aed284ae27df6681188c4670c
                                                                                                            • Instruction Fuzzy Hash: ADE0ECB5900640AFEB08BBB0D945E2D7BB6AF04315F2004D9E1059B271CA74A940EE20
                                                                                                            Function 00401EC0 Relevance: 1.5, APIs: 1, Instructions: 19libraryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: LibraryLoad
                                                                                                            • String ID:
                                                                                                            • API String ID: 1029625771-0
                                                                                                            • Opcode ID: 0c72abbdb5a8916e4e24aebaccfaa2dc4555aad13b2a805eb269692c872dd74b
                                                                                                            • Instruction ID: bb3ea7cc9101fcf5625ecd8c52feba8398713153468fd2575f0ccc666973f7e5
                                                                                                            • Opcode Fuzzy Hash: 0c72abbdb5a8916e4e24aebaccfaa2dc4555aad13b2a805eb269692c872dd74b
                                                                                                            • Instruction Fuzzy Hash: 56E0E574D01218DFCB14CE98D5A4BECB7B1BB08300F10806AE80277390D7395849DA19
                                                                                                            Function 0040D445 Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CopyFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 1304948518-0
                                                                                                            • Opcode ID: c69ef31a7dd5daa9f4eddc9d810b040cbef82ecd0c1d190c9d93c4d740a89546
                                                                                                            • Instruction ID: 27853292b9ebee26673c9e2a29a24e742e5dd7611a9ba99aca8ceaee4ed323a0
                                                                                                            • Opcode Fuzzy Hash: c69ef31a7dd5daa9f4eddc9d810b040cbef82ecd0c1d190c9d93c4d740a89546
                                                                                                            • Instruction Fuzzy Hash: 9DD0A7F0D0502CABC71496529E89EE7225CCB04B40F140077650AF20D2E67C8A496A3B
                                                                                                            Function 02BAFE8C Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002BA8000.00000040.00001000.00020000.00000000.sdmp, Offset: 02BA8000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2ba8000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 823142352-0
                                                                                                            • Opcode ID: 9f9084414764a2ca63f3571b10d4d7def1973cb1c1c63c1dd5514446fa58c9dd
                                                                                                            • Instruction ID: 79b4b2f057f718bf86628f0b1d50928acc14c6d08f3aa83391a8dd871ab2da61
                                                                                                            • Opcode Fuzzy Hash: 9f9084414764a2ca63f3571b10d4d7def1973cb1c1c63c1dd5514446fa58c9dd
                                                                                                            • Instruction Fuzzy Hash: A1D092B001CA00CFD3167F19D5842BABAE1EF88701F02C86CD2C582A54DA700084DB97
                                                                                                            Function 004019B4 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CreateDirectory
                                                                                                            • String ID:
                                                                                                            • API String ID: 4241100979-0
                                                                                                            • Opcode ID: 6cee8c885636b5c7a1842f4f198ef58604c2e65a1783f243f6e934eccc6f75ac
                                                                                                            • Instruction ID: 674d0c7ab9eb076612fc70335bf35aceca667704559374c7c7f61bf7c3824fc7
                                                                                                            • Opcode Fuzzy Hash: 6cee8c885636b5c7a1842f4f198ef58604c2e65a1783f243f6e934eccc6f75ac
                                                                                                            • Instruction Fuzzy Hash: 1EC012B4A8D128DAC206A6D64E08EFDB1684F09300F3004736587300D28AFC088A6AAF
                                                                                                            Function 0040D727 Relevance: 1.5, APIs: 1, Instructions: 6registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RegQueryValueExA.KERNEL32(?), ref: 0040E063
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: QueryValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 3660427363-0
                                                                                                            • Opcode ID: a8de28602004eb34c581e09bfa0515beefc3a9b04618b09406c365c5d84848a7
                                                                                                            • Instruction ID: 9e0b40aab8dab8ddf24eea744c943b127f270eb78f13ff0892a98b979a6b27b3
                                                                                                            • Opcode Fuzzy Hash: a8de28602004eb34c581e09bfa0515beefc3a9b04618b09406c365c5d84848a7
                                                                                                            • Instruction Fuzzy Hash: 0BB09230904129DACB114F718A0877E7A70BA40700B114D2AC462B1090C7B98112BA5A
                                                                                                            Function 0040D5E6 Relevance: 1.5, APIs: 1, Instructions: 6fileCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CopyFile
                                                                                                            • String ID:
                                                                                                            • API String ID: 1304948518-0
                                                                                                            • Opcode ID: 8f1124ad888b4c9081d48329b3ea00d471a1649e9795068a1de60722a707dddc
                                                                                                            • Instruction ID: 4a60a1b0ca679bb79b7e450458cb74753b6a01bb9afd35d6987d8c6a1826db30
                                                                                                            • Opcode Fuzzy Hash: 8f1124ad888b4c9081d48329b3ea00d471a1649e9795068a1de60722a707dddc
                                                                                                            • Instruction Fuzzy Hash: ABA022A0E0C002FEE8A02FC00EAEF2222CC030030CFA080323303300C0083C000EEA2E
                                                                                                            Function 0040183A Relevance: 1.5, APIs: 1, Instructions: 5registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Close
                                                                                                            • String ID:
                                                                                                            • API String ID: 3535843008-0
                                                                                                            • Opcode ID: e66dba9bc5a59dec1b9cdc0a82b5261c8e6dde639c67a711cb867eaa7357f7a8
                                                                                                            • Instruction ID: 3e4ad85b022d709214506f7c5254eb6a474fc2c7e84a93c50c55e0b9104debd3
                                                                                                            • Opcode Fuzzy Hash: e66dba9bc5a59dec1b9cdc0a82b5261c8e6dde639c67a711cb867eaa7357f7a8
                                                                                                            • Instruction Fuzzy Hash: 1BB01230C08001D6CE000BC08A0481876315E01310322803396C3300E08A3D4409BA1F
                                                                                                            Function 0040D5A3 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: ManagerOpen
                                                                                                            • String ID:
                                                                                                            • API String ID: 1889721586-0
                                                                                                            • Opcode ID: f5a9a6cd0d3dfde358d1ed34cf1567730a744f26f3328395782056a37fe8e46c
                                                                                                            • Instruction ID: ca83de31cf88e0f7b1adfe4b18ba6b195261e8afb7945e6c10c43b12717cba52
                                                                                                            • Opcode Fuzzy Hash: f5a9a6cd0d3dfde358d1ed34cf1567730a744f26f3328395782056a37fe8e46c
                                                                                                            • Instruction Fuzzy Hash: 01A00270914105EFCB104F659AC806CBEB5B648391BB1887EE04BF25A0DB3446CDAA59
                                                                                                            Function 00401D97 Relevance: 1.5, APIs: 1, Instructions: 3registryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Open
                                                                                                            • String ID:
                                                                                                            • API String ID: 71445658-0
                                                                                                            • Opcode ID: 5eacc4ed5d6b71a6d6739c56d810addfd786f62a5f4c78bf6b01d583d0a40c8d
                                                                                                            • Instruction ID: a1f870591d39bb6d8b96134987fb6292501960ea232182ac0741a513a4621017
                                                                                                            • Opcode Fuzzy Hash: 5eacc4ed5d6b71a6d6739c56d810addfd786f62a5f4c78bf6b01d583d0a40c8d
                                                                                                            • Instruction Fuzzy Hash: 08900220204101DAE2040A725A4821566D8660874572145395443E1161DA3480055929
                                                                                                            Function 02B81160 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 02B80610: OpenEventA.KERNEL32(00100002,00000000,00000000,4798DEFF), ref: 02B806B0
                                                                                                              • Part of subcall function 02B80610: CloseHandle.KERNEL32(00000000), ref: 02B806C5
                                                                                                              • Part of subcall function 02B80610: ResetEvent.KERNEL32(00000000,4798DEFF), ref: 02B806CF
                                                                                                              • Part of subcall function 02B80610: CloseHandle.KERNEL32(00000000,4798DEFF), ref: 02B80704
                                                                                                            • TlsSetValue.KERNEL32(0000002B,?), ref: 02B811AA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEventHandle$OpenResetValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 1556185888-0
                                                                                                            • Opcode ID: 6f4f380d248f6cc9d89a9af0c13670f5199ddc5c6d80a64fcf57ca60f318f3bf
                                                                                                            • Instruction ID: 029cefa2f09580d09ae97c6d8bdd914e516531e90dbbc9bf9ebb185d0b59ec59
                                                                                                            • Opcode Fuzzy Hash: 6f4f380d248f6cc9d89a9af0c13670f5199ddc5c6d80a64fcf57ca60f318f3bf
                                                                                                            • Instruction Fuzzy Hash: CC01A271A54204AFD710EF98DC06B5ABBB8FB056B0F104B6AF829E3390D7716900CBA0
                                                                                                            Function 00401649 Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000040,00409068), ref: 0040D0F5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: 9e0ac0af364bcf308370d120fd539e398a1cb38d8b3d6c89812f58aa12c3aa18
                                                                                                            • Instruction ID: 6bf2a068bfca1c8f86339732706a30905d399dbcba2ad77db48a53c6abb8bc1c
                                                                                                            • Opcode Fuzzy Hash: 9e0ac0af364bcf308370d120fd539e398a1cb38d8b3d6c89812f58aa12c3aa18
                                                                                                            • Instruction Fuzzy Hash: 6F018F30A01209AFDB04DF98C859BEEBBB4EB04310F10406AB655B76C1D378A945DB16
                                                                                                            Function 0040D407 Relevance: 1.3, APIs: 1, Instructions: 6sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3472027048-0
                                                                                                            • Opcode ID: af258db13700fd9185a0206c61946e01d9dbc35cdb0cb0c98d9fd85e272a22aa
                                                                                                            • Instruction ID: c0f68ce38cdc4fabbd5a2d72d20c4ce279d657f5bf4ba57cb2acef1ece1c22d5
                                                                                                            • Opcode Fuzzy Hash: af258db13700fd9185a0206c61946e01d9dbc35cdb0cb0c98d9fd85e272a22aa
                                                                                                            • Instruction Fuzzy Hash: 05B01230D44200DBD24057E0CF44A3C36749710300F100167E522B71D0CF381A45550F
                                                                                                            Function 00401CE6 Relevance: 1.3, APIs: 1, Instructions: 4sleepCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2921123471.0000000000400000.00000040.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2921123471.000000000040B000.00000040.00000001.01000000.00000009.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_400000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Sleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 3472027048-0
                                                                                                            • Opcode ID: d8ab2787facf2e2e3614e7dcd922b2cf540d4d131cdf778710a0da2ab63d60cd
                                                                                                            • Instruction ID: 7353c5f7f151f97415b3cc1148ceb921584a2174ecfd3d22fe05316cc8b1a890
                                                                                                            • Opcode Fuzzy Hash: d8ab2787facf2e2e3614e7dcd922b2cf540d4d131cdf778710a0da2ab63d60cd
                                                                                                            • Instruction Fuzzy Hash: 7CA002609CD610C6E1485B907B59B2535306F00725F662137924BB84E14A7D550BBA5F

                                                                                                            Non-executed Functions

                                                                                                            Function 6096748C Relevance: 131.0, APIs: 72, Strings: 2, Instructions: 1504COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_malloc.SQLITE3 ref: 609674C6
                                                                                                              • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                                            • sqlite3_step.SQLITE3 ref: 6096755A
                                                                                                            • sqlite3_malloc.SQLITE3 ref: 6096783A
                                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 609678A8
                                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 609678E8
                                                                                                            • sqlite3_column_blob.SQLITE3 ref: 60967901
                                                                                                            • sqlite3_column_int64.SQLITE3 ref: 6096791A
                                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967931
                                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967950
                                                                                                            • sqlite3_step.SQLITE3 ref: 609679C3
                                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 60967AA9
                                                                                                            • sqlite3_step.SQLITE3 ref: 60967AB4
                                                                                                            • sqlite3_column_int.SQLITE3 ref: 60967AC7
                                                                                                            • sqlite3_reset.SQLITE3 ref: 60967AD4
                                                                                                            • sqlite3_bind_int.SQLITE3 ref: 60967B89
                                                                                                            • sqlite3_step.SQLITE3 ref: 60967B94
                                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967BB0
                                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967BCF
                                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60967BE6
                                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 60967C05
                                                                                                            • sqlite3_column_blob.SQLITE3 ref: 60967C1E
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED50
                                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 60967C72
                                                                                                            • sqlite3_step.SQLITE3 ref: 60967C7D
                                                                                                            • memcmp.MSVCRT ref: 60967D4C
                                                                                                            • sqlite3_free.SQLITE3 ref: 60967D69
                                                                                                            • sqlite3_free.SQLITE3 ref: 60967D74
                                                                                                            • sqlite3_free.SQLITE3 ref: 60967FF7
                                                                                                            • sqlite3_free.SQLITE3 ref: 60968002
                                                                                                              • Part of subcall function 609634F0: sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                                              • Part of subcall function 609634F0: sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                                              • Part of subcall function 609634F0: sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                                              • Part of subcall function 609634F0: sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                                              • Part of subcall function 609634F0: sqlite3_free.SQLITE3 ref: 60963621
                                                                                                            • sqlite3_reset.SQLITE3 ref: 60967C93
                                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                                            • sqlite3_reset.SQLITE3 ref: 60967CA7
                                                                                                            • sqlite3_reset.SQLITE3 ref: 60968035
                                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 60967B72
                                                                                                              • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6096809D
                                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 609680C6
                                                                                                            • sqlite3_step.SQLITE3 ref: 609680D1
                                                                                                            • sqlite3_column_int.SQLITE3 ref: 609680F3
                                                                                                            • sqlite3_reset.SQLITE3 ref: 60968104
                                                                                                            • sqlite3_step.SQLITE3 ref: 60968139
                                                                                                            • sqlite3_column_int64.SQLITE3 ref: 60968151
                                                                                                            • sqlite3_reset.SQLITE3 ref: 6096818A
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED2B
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_bind_value.SQLITE3 ref: 6095EDDF
                                                                                                            • sqlite3_reset.SQLITE3 ref: 609679E9
                                                                                                              • Part of subcall function 609160CD: sqlite3_realloc.SQLITE3 ref: 609160EF
                                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 60967587
                                                                                                              • Part of subcall function 6091D5DC: sqlite3_value_bytes.SQLITE3 ref: 6091D5F4
                                                                                                            • sqlite3_column_blob.SQLITE3 ref: 60967572
                                                                                                              • Part of subcall function 6091D57E: sqlite3_value_blob.SQLITE3 ref: 6091D596
                                                                                                            • sqlite3_reset.SQLITE3 ref: 609675B7
                                                                                                            • sqlite3_bind_int.SQLITE3 ref: 60967641
                                                                                                            • sqlite3_step.SQLITE3 ref: 6096764C
                                                                                                            • sqlite3_column_int64.SQLITE3 ref: 6096766E
                                                                                                            • sqlite3_reset.SQLITE3 ref: 6096768B
                                                                                                            • sqlite3_bind_int.SQLITE3 ref: 6096754F
                                                                                                              • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                                            • sqlite3_bind_int.SQLITE3 ref: 609690B2
                                                                                                            • sqlite3_bind_blob.SQLITE3 ref: 609690DB
                                                                                                            • sqlite3_step.SQLITE3 ref: 609690E6
                                                                                                            • sqlite3_reset.SQLITE3 ref: 609690F1
                                                                                                            • sqlite3_free.SQLITE3 ref: 60969102
                                                                                                            • sqlite3_free.SQLITE3 ref: 6096910D
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_reset$sqlite3_step$sqlite3_column_int64sqlite3_free$sqlite3_bind_int64$sqlite3_bind_int$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mprintf$sqlite3_column_intsqlite3_mutex_leave$memcmpsqlite3_bind_blobsqlite3_bind_valuesqlite3_blob_bytessqlite3_blob_readsqlite3_blob_reopensqlite3_initializesqlite3_mutex_entersqlite3_prepare_v2sqlite3_reallocsqlite3_value_blobsqlite3_value_bytes
                                                                                                            • String ID: $d
                                                                                                            • API String ID: 2451604321-2084297493
                                                                                                            • Opcode ID: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                                            • Instruction ID: 6b7ea73e19bc996eb6a422b8fcf26663d3cb25e4dd91ceba81a4d6a678ae72ab
                                                                                                            • Opcode Fuzzy Hash: 8a4e51d2763d1baa8146902d495da2ef892242416c9706ebfa3093aedc646825
                                                                                                            • Instruction Fuzzy Hash: 2CF2CF74A152288FDB54CF68C980B9EBBF2BF69304F1185A9E888A7341D774ED85CF41
                                                                                                            Function 609660FA Relevance: 39.4, APIs: 19, Strings: 3, Instructions: 926COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_finalize.SQLITE3 ref: 60966178
                                                                                                            • sqlite3_free.SQLITE3 ref: 60966183
                                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 609661AE
                                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 609661DE
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 60966236
                                                                                                            • sqlite3_value_int.SQLITE3 ref: 60966274
                                                                                                            • memcmp.MSVCRT ref: 6096639E
                                                                                                              • Part of subcall function 60940A5B: sqlite3_malloc.SQLITE3 ref: 60940AA1
                                                                                                              • Part of subcall function 60940A5B: sqlite3_free.SQLITE3 ref: 60940C1D
                                                                                                            • sqlite3_mprintf.SQLITE3 ref: 60966B51
                                                                                                            • sqlite3_mprintf.SQLITE3 ref: 60966B7D
                                                                                                              • Part of subcall function 609296AA: sqlite3_initialize.SQLITE3 ref: 609296B0
                                                                                                              • Part of subcall function 609296AA: sqlite3_vmprintf.SQLITE3 ref: 609296CA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_freesqlite3_mprintfsqlite3_value_numeric_type$memcmpsqlite3_finalizesqlite3_initializesqlite3_mallocsqlite3_value_intsqlite3_value_textsqlite3_vmprintf
                                                                                                            • String ID: ASC$DESC$x
                                                                                                            • API String ID: 4082667235-1162196452
                                                                                                            • Opcode ID: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                                            • Instruction ID: 01f4316cc9c65235d83944c747b96ccca9397e1276bdc6c450b31a73d7ca280a
                                                                                                            • Opcode Fuzzy Hash: 7264e4280a4ba67b830c3238f8418230a53be4a89f04bb086879d88682624c0f
                                                                                                            • Instruction Fuzzy Hash: AD921274A14319CFEB10CFA9C99079DBBB6BF69304F20816AD858AB342D774E985CF41
                                                                                                            Function 6096923E Relevance: 29.3, APIs: 19, Instructions: 779COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_bind_int64.SQLITE3(?,?), ref: 609693A5
                                                                                                            • sqlite3_step.SQLITE3(?,?), ref: 609693B0
                                                                                                            • sqlite3_column_int64.SQLITE3(?,?), ref: 609693DC
                                                                                                              • Part of subcall function 6096A2BD: sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                                              • Part of subcall function 6096A2BD: sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                                              • Part of subcall function 6096A2BD: sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                                              • Part of subcall function 6096A2BD: sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                                            • sqlite3_reset.SQLITE3(?,?), ref: 609693F3
                                                                                                            • sqlite3_malloc.SQLITE3(?), ref: 60969561
                                                                                                            • sqlite3_malloc.SQLITE3(?), ref: 6096958D
                                                                                                            • sqlite3_step.SQLITE3(?), ref: 609695D2
                                                                                                            • sqlite3_column_int64.SQLITE3(?), ref: 609695EA
                                                                                                            • sqlite3_reset.SQLITE3(?), ref: 60969604
                                                                                                            • sqlite3_realloc.SQLITE3(?), ref: 609697D0
                                                                                                            • sqlite3_realloc.SQLITE3(?), ref: 609698A9
                                                                                                              • Part of subcall function 609129D5: sqlite3_initialize.SQLITE3(?,?,?,60915F55,?,?,?,?,?,?,00000000,?,?,?,60915FE2,00000000), ref: 609129E0
                                                                                                            • sqlite3_bind_int64.SQLITE3(?,?), ref: 609699B8
                                                                                                            • sqlite3_bind_int64.SQLITE3(?), ref: 6096934D
                                                                                                              • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                                            • sqlite3_bind_int64.SQLITE3(?,?), ref: 60969A6A
                                                                                                            • sqlite3_step.SQLITE3(?,?), ref: 60969A75
                                                                                                            • sqlite3_reset.SQLITE3(?,?), ref: 60969A80
                                                                                                            • sqlite3_free.SQLITE3(?), ref: 60969D41
                                                                                                            • sqlite3_free.SQLITE3(?), ref: 60969D4C
                                                                                                            • sqlite3_free.SQLITE3(?), ref: 60969D5B
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_bind_int64$sqlite3_freesqlite3_resetsqlite3_step$sqlite3_column_int64sqlite3_mallocsqlite3_realloc$sqlite3_column_intsqlite3_initializesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2
                                                                                                            • String ID:
                                                                                                            • API String ID: 961572588-0
                                                                                                            • Opcode ID: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                                            • Instruction ID: dba6eef834311e7f80380fc62c490a647dd1765b4da9a7e0a506f520bf28697a
                                                                                                            • Opcode Fuzzy Hash: c724daf3936d67fd3e7a59374d144345718a9f8d9c21f3c7abba70c9fa35c0f4
                                                                                                            • Instruction Fuzzy Hash: 9872F275A042298FDB24CF69C88078DB7F6FF98314F1586A9D889AB341D774AD81CF81
                                                                                                            Function 60963143 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 301COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_bind_int64sqlite3_mutex_leavesqlite3_stricmp
                                                                                                            • String ID: 2$foreign key$indexed
                                                                                                            • API String ID: 4126863092-702264400
                                                                                                            • Opcode ID: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                                            • Instruction ID: 3d5d194cd292e354de8359ea213fef7e5121ae3f60f7d2d7ba557b44893e8b9c
                                                                                                            • Opcode Fuzzy Hash: efb0247afb620838301bdf32ec29a55ffab8ab84c5461d6934eb6e15b590f11f
                                                                                                            • Instruction Fuzzy Hash: 6BE1B374A142099FDB04CFA8D590A9DBBF2BFA9304F21C129E855AB754DB35ED82CF40
                                                                                                            Function 6093323D Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 432COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_stricmp
                                                                                                            • String ID: USING COVERING INDEX $DISTINCT$ORDER BY
                                                                                                            • API String ID: 912767213-1308749736
                                                                                                            • Opcode ID: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                                            • Instruction ID: 4f43644a9add5c5df618cbd47cd61ce2203d262f2077f605e752fe25420d36ab
                                                                                                            • Opcode Fuzzy Hash: 5e6ae8a77223c4cf3853263767bd84c2ef0a0cb2633a4755bdfaa367f33b2fd5
                                                                                                            • Instruction Fuzzy Hash: 2412D674A08268CFDB25DF28C880B5AB7B3AFA9314F1085E9E8899B355D774DD81CF41
                                                                                                            Function 6094B407 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6094B488
                                                                                                            • sqlite3_step.SQLITE3 ref: 6094B496
                                                                                                            • sqlite3_reset.SQLITE3 ref: 6094B4A4
                                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6094B4D2
                                                                                                            • sqlite3_step.SQLITE3 ref: 6094B4E0
                                                                                                            • sqlite3_reset.SQLITE3 ref: 6094B4EE
                                                                                                              • Part of subcall function 6094B54C: memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,6094B44B), ref: 6094B6B5
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_bind_int64sqlite3_resetsqlite3_step$memmove
                                                                                                            • String ID:
                                                                                                            • API String ID: 4082478743-0
                                                                                                            • Opcode ID: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                                                                            • Instruction ID: 9e7f29540a3c6f2d28ce6b101cd1a975f5529a8f599b89b7128c34d749e8d9ce
                                                                                                            • Opcode Fuzzy Hash: 967f7dd55d0e0ed5657609aa573e07de9c17706341fbe9ef37ba536950e7892f
                                                                                                            • Instruction Fuzzy Hash: DD41D2B4A087018FCB50DF69C484A9EB7F6EFA8364F158929EC99CB315E734E8418F51
                                                                                                            Function 6094D33B Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6094D354
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6094D546
                                                                                                              • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905D8B
                                                                                                              • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DA4
                                                                                                              • Part of subcall function 60905D76: sqlite3_stricmp.SQLITE3 ref: 60905DB8
                                                                                                            • sqlite3_stricmp.SQLITE3 ref: 6094D3DA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_stricmp$sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                            • String ID: BINARY$INTEGER
                                                                                                            • API String ID: 317512412-1676293250
                                                                                                            • Opcode ID: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                                            • Instruction ID: cace79839434994537c0410bddb438ad3d501bddbf1b20fcc6a8a8bdb5da7fdd
                                                                                                            • Opcode Fuzzy Hash: a7efc97792d1e6a4bc5cda92ab6d03f9066f32250883ff14ac0274f07e3e06bf
                                                                                                            • Instruction Fuzzy Hash: 8E712978A056099BDB05CF69C49079EBBF2BFA8308F11C529EC55AB3A4D734E941CF80
                                                                                                            Function 02B7F8C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179windowCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 02B78AD5: __EH_prolog.LIBCMT ref: 02B78ADA
                                                                                                              • Part of subcall function 02B78AD5: _Allocate.LIBCPMT ref: 02B78B31
                                                                                                              • Part of subcall function 02B78AD5: _memmove.LIBCMT ref: 02B78B88
                                                                                                            • FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02B7F9A2
                                                                                                            • GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02B7F9AA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateErrorFormatH_prologLastMessage_memmove
                                                                                                            • String ID: Unknown error$invalid string position
                                                                                                            • API String ID: 1017912131-1837348584
                                                                                                            • Opcode ID: 84eee2e6b0b52e69d7cd1c789872040be7e2fff4380836febeaeecd381d26dca
                                                                                                            • Instruction ID: 522ffe8d5cf459479d9e5e9c6b24f0c7f58936739391e99df66091276493d206
                                                                                                            • Opcode Fuzzy Hash: 84eee2e6b0b52e69d7cd1c789872040be7e2fff4380836febeaeecd381d26dca
                                                                                                            • Instruction Fuzzy Hash: 6B51CB706083419FE714DF28C890B2EBBE4EB88344F5049ADF4A297AA1D771E588CF56
                                                                                                            Function 6093F42E Relevance: 6.4, APIs: 4, Instructions: 416COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6093F443
                                                                                                              • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6093F45C
                                                                                                              • Part of subcall function 60939559: memcmp.MSVCRT ref: 60939694
                                                                                                              • Part of subcall function 60939559: memcmp.MSVCRT ref: 609396CA
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6093F8CD
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6093F8E3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: memcmpsqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                                                            • String ID:
                                                                                                            • API String ID: 4038589952-0
                                                                                                            • Opcode ID: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                                            • Instruction ID: 916146ddc5613ce70bfe97dc7fabc38680eb49f4f4fdba01105907ea2da9c682
                                                                                                            • Opcode Fuzzy Hash: 29e5932b9866e1e5e2fcd92ac707fe98724786dada8c9b11deae4621e05e1fb7
                                                                                                            • Instruction Fuzzy Hash: 87F13674A046158FDB18CFA9C590A9EB7F7AFA8308F248429E846AB355D774EC42CF40
                                                                                                            Function 6096A38C Relevance: 6.1, APIs: 4, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                                            • sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                                              • Part of subcall function 609256E5: sqlite3_bind_int64.SQLITE3 ref: 60925704
                                                                                                            • sqlite3_column_int.SQLITE3 ref: 6096A3F3
                                                                                                            • sqlite3_step.SQLITE3 ref: 6096A435
                                                                                                            • sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_bind_intsqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_prepare_v2sqlite3_resetsqlite3_step
                                                                                                            • String ID:
                                                                                                            • API String ID: 247099642-0
                                                                                                            • Opcode ID: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                                            • Instruction ID: 69535c0605dcb565d56369453fd68d3a3097adfd173720c6e67b3d4aca8354ad
                                                                                                            • Opcode Fuzzy Hash: 64427881e425bd4a7d2fa305579facb0dd1ab8a71ce9f1271cd8f49c57a97bec
                                                                                                            • Instruction Fuzzy Hash: FF2151B0A143148BEB109FA9D88479EB7FAEF64308F00852DE89597350EBB8D845CF51
                                                                                                            Function 6096A2BD Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_mprintf.SQLITE3 ref: 6095ED06
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_prepare_v2.SQLITE3 ref: 6095ED8D
                                                                                                              • Part of subcall function 6095ECA6: sqlite3_free.SQLITE3 ref: 6095ED9B
                                                                                                            • sqlite3_bind_int64.SQLITE3 ref: 6096A322
                                                                                                              • Part of subcall function 60925686: sqlite3_mutex_leave.SQLITE3 ref: 609256D3
                                                                                                            • sqlite3_step.SQLITE3 ref: 6096A32D
                                                                                                            • sqlite3_column_int.SQLITE3 ref: 6096A347
                                                                                                              • Part of subcall function 6091D4F4: sqlite3_value_int.SQLITE3 ref: 6091D50C
                                                                                                            • sqlite3_reset.SQLITE3 ref: 6096A354
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_bind_int64sqlite3_column_intsqlite3_freesqlite3_mprintfsqlite3_mutex_leavesqlite3_prepare_v2sqlite3_resetsqlite3_stepsqlite3_value_int
                                                                                                            • String ID:
                                                                                                            • API String ID: 326482775-0
                                                                                                            • Opcode ID: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                                            • Instruction ID: 7c1586c82cd56d85cf32929a5cd575737867df940847ca2bf63216634e784e33
                                                                                                            • Opcode Fuzzy Hash: de94f0bba3b8b54078f1ceecce583a965f8e010bb36370f6070bcd8bc28ee8b0
                                                                                                            • Instruction Fuzzy Hash: 0E214DB0A043049BDB04DFA9C480B9EF7FAEFA8354F04C429E8959B340E778D8418B51
                                                                                                            Function 6090C1D6 Relevance: 3.0, APIs: 2, Instructions: 39COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6090C1EA
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6090C22F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                            • String ID:
                                                                                                            • API String ID: 1477753154-0
                                                                                                            • Opcode ID: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                                            • Instruction ID: fc120f7ed3300d8301d0f99cb769197b575d5683181bd6b289e4b53452841bc5
                                                                                                            • Opcode Fuzzy Hash: 8c595cf50166d2d57a1b46d7a61a8743a20f226779b5cb212a2500e19f50b056
                                                                                                            • Instruction Fuzzy Hash: 6501F4715042548BDB449F2EC4C576EBBEAEF65318F048469DD419B326D374D882CBA1
                                                                                                            Function 02B880DA Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,02B83AF6,?,?,?,00000001), ref: 02B880DF
                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02B880E8
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExceptionFilterUnhandled
                                                                                                            • String ID:
                                                                                                            • API String ID: 3192549508-0
                                                                                                            • Opcode ID: 3603eedac42e28b06e84b9e3f6e9a8c6bd46be272566d64c302bff354dd6eccd
                                                                                                            • Instruction ID: 5ce7204d5010301f4253fd620cba379132b439b66eb63ceb54c357d8d33685e1
                                                                                                            • Opcode Fuzzy Hash: 3603eedac42e28b06e84b9e3f6e9a8c6bd46be272566d64c302bff354dd6eccd
                                                                                                            • Instruction Fuzzy Hash: 6FB092314C8208ABCB222B91E919B583F28FB046D2FC48810F60E460508B6255709BD2
                                                                                                            Function 609254B1 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6092535E: sqlite3_log.SQLITE3 ref: 60925406
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 60925508
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                            • String ID:
                                                                                                            • API String ID: 1465156292-0
                                                                                                            • Opcode ID: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                                            • Instruction ID: ad89f0bb34aa7175efe61e1ac22fb0c12735e6005c3b9edbf096fd229bca234b
                                                                                                            • Opcode Fuzzy Hash: 7f15987c0945e0fd4273a36fcce91cc0d916abb620506d2e7fdad6d0c82ef640
                                                                                                            • Instruction Fuzzy Hash: 5A01A475B107148BCB109F2ACC8164BBBFAEF68254F05991AEC41DB315D775ED458BC0
                                                                                                            Function 02B7E85A Relevance: .0, Instructions: 33COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _memmove
                                                                                                            • String ID:
                                                                                                            • API String ID: 4104443479-0
                                                                                                            • Opcode ID: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                                            • Instruction ID: 98b13b5206da5b91c7faa35d90af31097790fe1faaf06dfd5cc0f9eb311eb42d
                                                                                                            • Opcode Fuzzy Hash: 50ed358c2bc5baa28b61a63f85c8bcfb39f11c9cdbb9bf2bbec23c38127e8fb6
                                                                                                            • Instruction Fuzzy Hash: 52F082B5904309AAD704DF99D942B8DFBB8EF84314F2081A9D50CA7340E6B0BA118B90
                                                                                                            Function 6090F435 Relevance: .0, Instructions: 14COMMON
                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                                            • Instruction ID: aa639d4c52eda77921d109c173628d401b16d57fa3137d2b917a91732d8775c8
                                                                                                            • Opcode Fuzzy Hash: d3c407e99ff1326d716251d27052f3514f6d3ace0f30ccd24b81610f61b1d9b8
                                                                                                            • Instruction Fuzzy Hash: D7C01265704208574B00E92DE8C154577AA9718164B108039E80B87301D975ED084291
                                                                                                            Function 60926471 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 155COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_mbcs_to_utf8
                                                                                                            • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                                                            • API String ID: 937752868-2111127023
                                                                                                            • Opcode ID: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                                                                            • Instruction ID: 65a1564e5812e901c47d2d0e8e64920046ae54dd737849fc0956122b524b53c9
                                                                                                            • Opcode Fuzzy Hash: 790c833cc1fbb367a9c2b03a48d0fe6427ec60a778556f52a2f7a42315cae969
                                                                                                            • Instruction Fuzzy Hash: 19512C706187018FE700AF69D88575DBFF6AFA5708F10C81DE8999B214EB78C845DF42
                                                                                                            Function 6094844A Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 374COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 60948728
                                                                                                            • PRAGMA vacuum_db.synchronous=OFF, xrefs: 609485BB
                                                                                                            • SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' , xrefs: 609486E8
                                                                                                            • BEGIN;, xrefs: 609485DB
                                                                                                            • SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' , xrefs: 60948748
                                                                                                            • INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0), xrefs: 60948788
                                                                                                            • SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0, xrefs: 609486C8
                                                                                                            • SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %', xrefs: 60948708
                                                                                                            • ATTACH '' AS vacuum_db;, xrefs: 60948529
                                                                                                            • SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';, xrefs: 60948768
                                                                                                            • ATTACH ':memory:' AS vacuum_db;, xrefs: 60948534
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_log
                                                                                                            • String ID: ATTACH '' AS vacuum_db;$ATTACH ':memory:' AS vacuum_db;$BEGIN;$INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)$PRAGMA vacuum_db.synchronous=OFF$SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' $SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0$SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'$SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' $SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';$SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                                                                                            • API String ID: 632333372-52344843
                                                                                                            • Opcode ID: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                                            • Instruction ID: 17dae18cb22bd420f764556e48f7e631e7f528851c991f2db59136dec61311d4
                                                                                                            • Opcode Fuzzy Hash: d52540ff3cd5a889f8fcb2175177c5c293f6bf3e96b3409faf11301466b535e5
                                                                                                            • Instruction Fuzzy Hash: 1202F6B0A046299BDB2ACF18C88179EB7FABF65304F1081D9E858AB355D771DE81CF41
                                                                                                            Function 02B724E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B724E6
                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02B724FC
                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02B7250E
                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02B7256D
                                                                                                            • SetLastError.KERNEL32(00000000,?,74DEDFB0), ref: 02B7257F
                                                                                                            • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,74DEDFB0), ref: 02B72599
                                                                                                            • GetLastError.KERNEL32(?,74DEDFB0), ref: 02B725A2
                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02B725F0
                                                                                                            • InterlockedDecrement.KERNEL32(00000002), ref: 02B7262F
                                                                                                            • InterlockedExchange.KERNEL32(00000000,00000000), ref: 02B7268E
                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02B72699
                                                                                                            • InterlockedExchange.KERNEL32(00000000,00000001), ref: 02B726AD
                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,74DEDFB0), ref: 02B726BD
                                                                                                            • GetLastError.KERNEL32(?,74DEDFB0), ref: 02B726C7
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
                                                                                                            • String ID:
                                                                                                            • API String ID: 1213838671-0
                                                                                                            • Opcode ID: 205151360c232a89944112e12be6679e550e4848c5368899aea3417f7f6420a1
                                                                                                            • Instruction ID: ad0cdaccc47a8a3505951277d0bffe8916b43ace61a0e316130cbf291cabe22b
                                                                                                            • Opcode Fuzzy Hash: 205151360c232a89944112e12be6679e550e4848c5368899aea3417f7f6420a1
                                                                                                            • Instruction Fuzzy Hash: EF614071D40209EFCB21DFA4D998AEEBBB9FF08354F50496AE916E7240D7309A44CF60
                                                                                                            Function 02B74603 Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B74608
                                                                                                              • Part of subcall function 02B827B5: _malloc.LIBCMT ref: 02B827CD
                                                                                                            • htons.WS2_32(?), ref: 02B74669
                                                                                                            • htonl.WS2_32(?), ref: 02B7468C
                                                                                                            • htonl.WS2_32(00000000), ref: 02B74693
                                                                                                            • htons.WS2_32(00000000), ref: 02B74747
                                                                                                            • _sprintf.LIBCMT ref: 02B7475D
                                                                                                              • Part of subcall function 02B77987: _memmove.LIBCMT ref: 02B779A7
                                                                                                            • htons.WS2_32(?), ref: 02B746B0
                                                                                                              • Part of subcall function 02B78733: __EH_prolog.LIBCMT ref: 02B78738
                                                                                                              • Part of subcall function 02B78733: RtlEnterCriticalSection.NTDLL(00000020), ref: 02B787B3
                                                                                                              • Part of subcall function 02B78733: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02B787D1
                                                                                                              • Part of subcall function 02B71BA7: __EH_prolog.LIBCMT ref: 02B71BAC
                                                                                                              • Part of subcall function 02B71BA7: RtlEnterCriticalSection.NTDLL ref: 02B71BBC
                                                                                                              • Part of subcall function 02B71BA7: RtlLeaveCriticalSection.NTDLL ref: 02B71BEA
                                                                                                              • Part of subcall function 02B71BA7: RtlEnterCriticalSection.NTDLL ref: 02B71C13
                                                                                                              • Part of subcall function 02B71BA7: RtlLeaveCriticalSection.NTDLL ref: 02B71C56
                                                                                                              • Part of subcall function 02B7CEEF: __EH_prolog.LIBCMT ref: 02B7CEF4
                                                                                                            • htonl.WS2_32(?), ref: 02B7497C
                                                                                                            • htonl.WS2_32(00000000), ref: 02B74983
                                                                                                            • htonl.WS2_32(00000000), ref: 02B749C8
                                                                                                            • htonl.WS2_32(00000000), ref: 02B749CF
                                                                                                            • htons.WS2_32(?), ref: 02B749EF
                                                                                                            • htons.WS2_32(?), ref: 02B749F9
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_memmove_sprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 1645262487-0
                                                                                                            • Opcode ID: b8dd011f662f26a226e0750cb2adafe4d85ff3f822f1148799856abb1c74f359
                                                                                                            • Instruction ID: 6aad31bbe9bc6b1fb1aa5521072e4034309fd67adc6de725ab6aab1bb079463e
                                                                                                            • Opcode Fuzzy Hash: b8dd011f662f26a226e0750cb2adafe4d85ff3f822f1148799856abb1c74f359
                                                                                                            • Instruction Fuzzy Hash: D7022771D0025DEEDF15DFA4C844BEEBBB9AF08305F10459AE515B7280DB746A88CFA1
                                                                                                            Function 02B86EE0 Relevance: 18.1, APIs: 12, Instructions: 84COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • RtlDecodePointer.NTDLL(?), ref: 02B86EE8
                                                                                                            • _free.LIBCMT ref: 02B86F01
                                                                                                              • Part of subcall function 02B81F74: HeapFree.KERNEL32(00000000,00000000,?,02B84932,00000000,00000104,74DF0A60), ref: 02B81F88
                                                                                                              • Part of subcall function 02B81F74: GetLastError.KERNEL32(00000000,?,02B84932,00000000,00000104,74DF0A60), ref: 02B81F9A
                                                                                                            • _free.LIBCMT ref: 02B86F14
                                                                                                            • _free.LIBCMT ref: 02B86F32
                                                                                                            • _free.LIBCMT ref: 02B86F44
                                                                                                            • _free.LIBCMT ref: 02B86F55
                                                                                                            • _free.LIBCMT ref: 02B86F60
                                                                                                            • _free.LIBCMT ref: 02B86F84
                                                                                                            • RtlEncodePointer.NTDLL(008595F8), ref: 02B86F8B
                                                                                                            • _free.LIBCMT ref: 02B86FA0
                                                                                                            • _free.LIBCMT ref: 02B86FB6
                                                                                                            • _free.LIBCMT ref: 02B86FDE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                            • String ID:
                                                                                                            • API String ID: 3064303923-0
                                                                                                            • Opcode ID: 3c9f1b03277774a50988a001f6b54daaa150805a4c18de2767e9374b2064ea3c
                                                                                                            • Instruction ID: 09411a641f35e5df592103c7e1841d74fea2466d03a5f7dc9f90af0e499da1ca
                                                                                                            • Opcode Fuzzy Hash: 3c9f1b03277774a50988a001f6b54daaa150805a4c18de2767e9374b2064ea3c
                                                                                                            • Instruction Fuzzy Hash: A721B536D89151DFCB217FA8F8436497779EB047A43194DBAE80C97210CB71A866DF60
                                                                                                            Function 609602C8 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 266COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                                              • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                                              • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                                              • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                                              • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                                              • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                                              • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                                            • sqlite3_malloc.SQLITE3 ref: 60960384
                                                                                                            • sqlite3_free.SQLITE3 ref: 609605EA
                                                                                                            • sqlite3_result_error_code.SQLITE3 ref: 6096060D
                                                                                                            • sqlite3_free.SQLITE3 ref: 60960618
                                                                                                            • sqlite3_result_text.SQLITE3 ref: 6096063C
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_free$sqlite3_result_error_code$sqlite3_bind_int64sqlite3_mallocsqlite3_mprintfsqlite3_resetsqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                                            • String ID: offsets
                                                                                                            • API String ID: 463808202-2642679573
                                                                                                            • Opcode ID: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                                            • Instruction ID: 1101d6838161b799219a4b3d5732631e197d31251dd2d8b91c34f261bd2faa79
                                                                                                            • Opcode Fuzzy Hash: 496dcd0dbd0e24e84f3ae9a4f9495b5d667a7098f4014ef95464c797b1727b83
                                                                                                            • Instruction Fuzzy Hash: 72C1D374A183198FDB14CF59C580B8EBBF2BFA8314F2085A9E849AB354D734D985CF52
                                                                                                            Function 6091A3AA Relevance: 16.7, APIs: 11, Instructions: 175COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A3C1
                                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A3D6
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A3E4
                                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A416
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A424
                                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A43A
                                                                                                            • sqlite3_result_text.SQLITE3 ref: 6091A5A2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_result_text
                                                                                                            • String ID:
                                                                                                            • API String ID: 2903785150-0
                                                                                                            • Opcode ID: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                                            • Instruction ID: 050d84d3da0bd462ad4a4a15df4a38950001fc66f1de33c81d7c2c3a6f7146e7
                                                                                                            • Opcode Fuzzy Hash: 408a6008a3f19a662094ad197d730d6af4ceeedc2d56196c0f88669f9a2ea12f
                                                                                                            • Instruction Fuzzy Hash: 8971D074E086599FCF00DFA8C88069DBBF2BF59314F1485AAE855AB304E734EC85CB91
                                                                                                            Function 02B73423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B73428
                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02B7346B
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B73472
                                                                                                            • GetLastError.KERNEL32 ref: 02B73486
                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02B734D7
                                                                                                            • RtlEnterCriticalSection.NTDLL(00000018), ref: 02B734ED
                                                                                                            • RtlLeaveCriticalSection.NTDLL(00000018), ref: 02B73518
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
                                                                                                            • String ID: CancelIoEx$KERNEL32
                                                                                                            • API String ID: 2902213904-434325024
                                                                                                            • Opcode ID: f7753fdf98fb7c241a1a2b9baaf00ae9f88862c9bffd43890de31ba6b9e602ae
                                                                                                            • Instruction ID: 40e24bdb2ad4ac4b430ad5746488fed6fd1a7bbb4f418151debef89c9df36640
                                                                                                            • Opcode Fuzzy Hash: f7753fdf98fb7c241a1a2b9baaf00ae9f88862c9bffd43890de31ba6b9e602ae
                                                                                                            • Instruction Fuzzy Hash: 54319AB2A00305DFDB129F64D894BAABBF9FF49350F1488E9E8259B340C7709910CFA1
                                                                                                            Function 60912453 Relevance: 15.2, APIs: 10, Instructions: 247COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091264D
                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912662
                                                                                                            • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091273E
                                                                                                            • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912753
                                                                                                            • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912758
                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 60912803
                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091280E
                                                                                                            • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091282A
                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 6091283F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                                                            • String ID:
                                                                                                            • API String ID: 3556715608-0
                                                                                                            • Opcode ID: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                                            • Instruction ID: 37d7613b282c24208f37f95ee69ae3eaf9c0527d79975c213f2f38643f7f707f
                                                                                                            • Opcode Fuzzy Hash: 7a5b012c4fe40a1866ea25e0c9ef8651b072e840c3be51a8f23ca71a75eb633f
                                                                                                            • Instruction Fuzzy Hash: FEA14A71A2C215CBEB009F69CC843257FE7B7A7318F10816DD415AB2A0E7B9DC95EB11
                                                                                                            Function 6091C159 Relevance: 14.0, Strings: 11, Instructions: 290COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: $ AND $%s USING %sINDEX %s%s$%s USING AUTOMATIC %sINDEX%.0s%s$)><$0$ANY($COVERING $SCAN$SEARCH$rowid
                                                                                                            • API String ID: 0-780898
                                                                                                            • Opcode ID: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                                            • Instruction ID: 1b008e11d07f16b9462ef115b46fd1892196ed4c5360d6a6f9a636b6bab85f9b
                                                                                                            • Opcode Fuzzy Hash: d1d17e5dd7c74eae3224551f6f3ab351f201226dcaab78a09df61ec6b72ac00d
                                                                                                            • Instruction Fuzzy Hash: 46D109B0A087099FD714CF99C19079DBBF2BFA8308F10886AE495AB355D774D982CF81
                                                                                                            Function 609061F1 Relevance: 13.9, Strings: 11, Instructions: 114COMMON
                                                                                                            Download Yara Rule
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID: aolf$aolf$bolb$bolc$buod$buod$laer$laer$rahc$tni$txet
                                                                                                            • API String ID: 0-2604012851
                                                                                                            • Opcode ID: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                                            • Instruction ID: a78f5df49eecf700eafad7d6eadd6707640e608d2d263d021760269e78388884
                                                                                                            • Opcode Fuzzy Hash: b472df4709d2161ac4da3e6dd873a69b8789eadb7617e1432b7f17fad04b9ea6
                                                                                                            • Instruction Fuzzy Hash: 2D31B171A891458ADB21891C85503EE7FBB9BE3344F28902EC8B2DB246C735CCD0C3A2
                                                                                                            Function 6095F004 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 6095F030
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 6095F03E
                                                                                                            • sqlite3_stricmp.SQLITE3 ref: 6095F0B3
                                                                                                            • sqlite3_free.SQLITE3 ref: 6095F180
                                                                                                              • Part of subcall function 6092E279: strcmp.MSVCRT ref: 6092E2AE
                                                                                                              • Part of subcall function 6092E279: sqlite3_free.SQLITE3 ref: 6092E3A8
                                                                                                            • sqlite3_free.SQLITE3 ref: 6095F1BD
                                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                                            • sqlite3_result_error_code.SQLITE3 ref: 6095F34E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_free$sqlite3_value_text$sqlite3_mutex_entersqlite3_result_error_codesqlite3_stricmpstrcmp
                                                                                                            • String ID: |
                                                                                                            • API String ID: 1576672187-2343686810
                                                                                                            • Opcode ID: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                                                                            • Instruction ID: c4017fd8acd983bc841f22cdb0f4132ffe50c361176833da1127552c957ad2bb
                                                                                                            • Opcode Fuzzy Hash: bd5e6f80f73383bab87bf36e59bc4c906ea1158fee4d4fada053c93264453b50
                                                                                                            • Instruction Fuzzy Hash: B2B189B4A08308CBDB01CF69C491B9EBBF2BF68358F148968E854AB355D734EC55CB81
                                                                                                            Function 6095D3BB Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 187COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_snprintf.SQLITE3 ref: 6095D450
                                                                                                              • Part of subcall function 60917354: sqlite3_vsnprintf.SQLITE3 ref: 60917375
                                                                                                            • sqlite3_snprintf.SQLITE3 ref: 6095D4A1
                                                                                                            • sqlite3_snprintf.SQLITE3 ref: 6095D525
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_snprintf$sqlite3_vsnprintf
                                                                                                            • String ID: $)><$sqlite_master$sqlite_temp_master
                                                                                                            • API String ID: 652164897-1572359634
                                                                                                            • Opcode ID: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                                                                            • Instruction ID: a98725bc65f6cff0ffebef66634980575a39ba2d787d432de3c608a01e11e389
                                                                                                            • Opcode Fuzzy Hash: 8bad6b48079287e07d66e35ebf7d727d8c0cc4a3de3635d3393f65d8d520b325
                                                                                                            • Instruction Fuzzy Hash: 5991F275E05219CFCB15CF98C48169DBBF2BFA9308F14845AE859AB314DB34ED46CB81
                                                                                                            Function 6091B05A Relevance: 12.3, APIs: 8, Instructions: 349COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091B06E
                                                                                                            • sqlite3_result_error_toobig.SQLITE3 ref: 6091B178
                                                                                                            • sqlite3_result_error_nomem.SQLITE3 ref: 6091B197
                                                                                                            • sqlite3_result_text.SQLITE3 ref: 6091B5A3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                                                            • String ID:
                                                                                                            • API String ID: 2352520524-0
                                                                                                            • Opcode ID: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                                                                            • Instruction ID: 99f21b63ad5c9672efebb0dd762c853f70c7e366ddc85f9db9da2d733c13ec0c
                                                                                                            • Opcode Fuzzy Hash: 91a3e282f54c964bbb8224fbc5594699699e4a7ba29507b0b3f6ff953b241f0e
                                                                                                            • Instruction Fuzzy Hash: F9E16B71E4C2199BDB208F18C89039EBBF7AB65314F1584DAE8A857351D738DCC19F82
                                                                                                            Function 6096A481 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 609296D1: sqlite3_value_bytes.SQLITE3 ref: 609296F3
                                                                                                              • Part of subcall function 609296D1: sqlite3_mprintf.SQLITE3 ref: 60929708
                                                                                                              • Part of subcall function 609296D1: sqlite3_free.SQLITE3 ref: 6092971B
                                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A4D7
                                                                                                              • Part of subcall function 6094CBB8: sqlite3_log.SQLITE3 ref: 6094CBF8
                                                                                                            • sqlite3_result_text.SQLITE3 ref: 6096A5D3
                                                                                                              • Part of subcall function 6096A38C: sqlite3_bind_int.SQLITE3 ref: 6096A3DE
                                                                                                              • Part of subcall function 6096A38C: sqlite3_step.SQLITE3 ref: 6096A435
                                                                                                              • Part of subcall function 6096A38C: sqlite3_reset.SQLITE3 ref: 6096A445
                                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A523
                                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A554
                                                                                                            • sqlite3_exec.SQLITE3 ref: 6096A57F
                                                                                                            • sqlite3_result_error_code.SQLITE3 ref: 6096A5E1
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_exec$sqlite3_bind_intsqlite3_freesqlite3_logsqlite3_mprintfsqlite3_resetsqlite3_result_error_codesqlite3_result_textsqlite3_stepsqlite3_value_bytes
                                                                                                            • String ID: optimize
                                                                                                            • API String ID: 3659050757-3797040228
                                                                                                            • Opcode ID: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                                            • Instruction ID: 653702cfcd2f061f0588c77de086fc27204f9fc351fc8b4992cba684a546c14d
                                                                                                            • Opcode Fuzzy Hash: c770602c58b8b739d860714e2a7cbb539b0686760bc80d510edb2603001de118
                                                                                                            • Instruction Fuzzy Hash: E831C3B11187119FE310DF24C49570FBBE6ABA1368F10C91DF9968B350E7B9D8459F82
                                                                                                            Function 6096544A Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_column_blob.SQLITE3 ref: 609654FB
                                                                                                            • sqlite3_column_bytes.SQLITE3 ref: 60965510
                                                                                                            • sqlite3_reset.SQLITE3 ref: 60965556
                                                                                                            • sqlite3_reset.SQLITE3 ref: 609655B8
                                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                                            • sqlite3_malloc.SQLITE3 ref: 60965655
                                                                                                            • sqlite3_free.SQLITE3 ref: 60965714
                                                                                                            • sqlite3_free.SQLITE3 ref: 6096574B
                                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                                            • sqlite3_free.SQLITE3 ref: 609657AA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_reset$sqlite3_column_blobsqlite3_column_bytessqlite3_mallocsqlite3_mutex_leave
                                                                                                            • String ID:
                                                                                                            • API String ID: 2722129401-0
                                                                                                            • Opcode ID: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                                            • Instruction ID: e3a8cc565ee031670952cbbbf81914cbe75110044a29491daaf6513bdc913a85
                                                                                                            • Opcode Fuzzy Hash: 718344d9776843f9d3d0f11354c3fb96bdbf3732bae6ebd8df48c35682458f02
                                                                                                            • Instruction Fuzzy Hash: BBD1D270E14219CFEB14CFA9C48469DBBF2BF68304F20856AD899AB346D774E845CF81
                                                                                                            Function 609644FC Relevance: 12.2, APIs: 8, Instructions: 204COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_malloc.SQLITE3 ref: 609645D9
                                                                                                              • Part of subcall function 60928099: sqlite3_malloc.SQLITE3 ref: 609280ED
                                                                                                            • sqlite3_free.SQLITE3 ref: 609647C5
                                                                                                              • Part of subcall function 60963D35: memcmp.MSVCRT ref: 60963E74
                                                                                                            • sqlite3_free.SQLITE3 ref: 6096476B
                                                                                                              • Part of subcall function 60901C61: sqlite3_mutex_enter.SQLITE3 ref: 60901C80
                                                                                                            • sqlite3_free.SQLITE3 ref: 6096477B
                                                                                                            • sqlite3_free.SQLITE3 ref: 60964783
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_free$sqlite3_malloc$memcmpsqlite3_mutex_enter
                                                                                                            • String ID:
                                                                                                            • API String ID: 571598680-0
                                                                                                            • Opcode ID: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                                            • Instruction ID: 53ad94a03898eae12f4127695087571842428d6fdffc19c65fee49adcf86f1ae
                                                                                                            • Opcode Fuzzy Hash: d604abe0313f10411a0f234c71df8e29ee85eaf68e2bcebad1bf05c151ae1b53
                                                                                                            • Instruction Fuzzy Hash: 5E91F674E14228CFEB14CFA9D890B9EBBB6BB99304F1085AAD849A7344D734DD81CF51
                                                                                                            Function 02B80610 Relevance: 10.6, APIs: 7, Instructions: 132COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • OpenEventA.KERNEL32(00100002,00000000,00000000,4798DEFF), ref: 02B806B0
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B806C5
                                                                                                            • ResetEvent.KERNEL32(00000000,4798DEFF), ref: 02B806CF
                                                                                                            • CloseHandle.KERNEL32(00000000,4798DEFF), ref: 02B80704
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,4798DEFF), ref: 02B8077A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B8078F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseEventHandle$CreateOpenReset
                                                                                                            • String ID:
                                                                                                            • API String ID: 1285874450-0
                                                                                                            • Opcode ID: 11a73ad74f6ced2aa68178fcbbd5b1d03a6c2b1579afcc569db6a9bdc1b7b13f
                                                                                                            • Instruction ID: b766e71aec2863e66fa7ad3b439882749100c3b86fdb74561a948c237f1f3b57
                                                                                                            • Opcode Fuzzy Hash: 11a73ad74f6ced2aa68178fcbbd5b1d03a6c2b1579afcc569db6a9bdc1b7b13f
                                                                                                            • Instruction Fuzzy Hash: E6416074D01358AFDF21EFA4C848BADB7B8FF05764F504A59E819AB280D7749909CF90
                                                                                                            Function 02B72081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B720AC
                                                                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02B720CD
                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02B720D8
                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02B7213E
                                                                                                            • GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02B7217A
                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02B72187
                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02B721A6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
                                                                                                            • String ID:
                                                                                                            • API String ID: 1171374749-0
                                                                                                            • Opcode ID: a68ef6077d55d2db521efff0ab44a9588df108077b9ee473735f904f8a23c807
                                                                                                            • Instruction ID: 55196dc9e7fea5a8b2d4148058f327f00d77d8ed78a8e990a79bbca2f1f83033
                                                                                                            • Opcode Fuzzy Hash: a68ef6077d55d2db521efff0ab44a9588df108077b9ee473735f904f8a23c807
                                                                                                            • Instruction Fuzzy Hash: 7F411671544705AFC321DF25D884A6BBBF9FBC8654F004A5EF8A683650D730E545CFA2
                                                                                                            Function 02B80722 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 02B80ED0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02B8072E,?,?), ref: 02B80EFF
                                                                                                              • Part of subcall function 02B80ED0: CloseHandle.KERNEL32(00000000,?,?,02B8072E,?,?), ref: 02B80F14
                                                                                                              • Part of subcall function 02B80ED0: SetEvent.KERNEL32(00000000,02B8072E,?,?), ref: 02B80F27
                                                                                                            • OpenEventA.KERNEL32(00100002,00000000,00000000,4798DEFF), ref: 02B806B0
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B806C5
                                                                                                            • ResetEvent.KERNEL32(00000000,4798DEFF), ref: 02B806CF
                                                                                                            • CloseHandle.KERNEL32(00000000,4798DEFF), ref: 02B80704
                                                                                                            • __CxxThrowException@8.LIBCMT ref: 02B80735
                                                                                                              • Part of subcall function 02B831BA: RaiseException.KERNEL32(?,?,02B7EB5E,?,?,?,?,?,?,?,02B7EB5E,?,02B9ECA8,?), ref: 02B8320F
                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,4798DEFF), ref: 02B8077A
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B8078F
                                                                                                              • Part of subcall function 02B80C10: GetCurrentProcessId.KERNEL32(?), ref: 02B80C69
                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,4798DEFF), ref: 02B8079F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2227236058-0
                                                                                                            • Opcode ID: 0c23deca4e6ce4bc37741960c5be1f6e3b88aed6c493a747b1f6d87e27b0eefb
                                                                                                            • Instruction ID: aa7d7dcd23dbcc5dbf11762fdc3b528365b8991269276936b87c2fc7f9795ee6
                                                                                                            • Opcode Fuzzy Hash: 0c23deca4e6ce4bc37741960c5be1f6e3b88aed6c493a747b1f6d87e27b0eefb
                                                                                                            • Instruction Fuzzy Hash: F6315E75D01318ABEF21FBA48C44BADB7B9EF44794F140999E81CAB280D7309949CF61
                                                                                                            Function 609634F0 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_blob_reopen.SQLITE3 ref: 60963510
                                                                                                              • Part of subcall function 60962F28: sqlite3_log.SQLITE3 ref: 60962F5D
                                                                                                            • sqlite3_mprintf.SQLITE3 ref: 60963534
                                                                                                            • sqlite3_blob_open.SQLITE3 ref: 6096358B
                                                                                                            • sqlite3_blob_bytes.SQLITE3 ref: 609635A3
                                                                                                            • sqlite3_malloc.SQLITE3 ref: 609635BB
                                                                                                            • sqlite3_blob_read.SQLITE3 ref: 60963602
                                                                                                            • sqlite3_free.SQLITE3 ref: 60963621
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_blob_bytessqlite3_blob_opensqlite3_blob_readsqlite3_blob_reopensqlite3_freesqlite3_logsqlite3_mallocsqlite3_mprintf
                                                                                                            • String ID:
                                                                                                            • API String ID: 4276469440-0
                                                                                                            • Opcode ID: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                                            • Instruction ID: 177081cd506585250240414a33056f89eeda992db91a315aff795e5fc91eaf1e
                                                                                                            • Opcode Fuzzy Hash: 81f80890dbec9a3991ff68d8cfcbb164f6b4d7f09a97d6cb6c54cb11191f3d09
                                                                                                            • Instruction Fuzzy Hash: C641E5B09087059FDB40DF29C48179EBBE6AF98354F01C87AE898DB354E734D841DB92
                                                                                                            Function 6091A226 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A240
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A24E
                                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A25A
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A27C
                                                                                                            Strings
                                                                                                            • LIKE or GLOB pattern too complex, xrefs: 6091A267
                                                                                                            • ESCAPE expression must be a single character, xrefs: 6091A293
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_value_text$sqlite3_value_bytes
                                                                                                            • String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
                                                                                                            • API String ID: 4080917175-264706735
                                                                                                            • Opcode ID: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                                            • Instruction ID: 7e7232241edcba55bc41816b79a09feadaac9d75cc2fb544db44a2248cbef301
                                                                                                            • Opcode Fuzzy Hash: e5bda90e0e0ba1860c41bc069fb20e3a267b2c9271c0a370806f06164fd47fa4
                                                                                                            • Instruction Fuzzy Hash: A4214C74A182198BCB00DF79C88165EBBF6FF64354B108AA9E864DB344E734DCC6CB95
                                                                                                            Function 609250BB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6092506E: sqlite3_log.SQLITE3 ref: 609250AB
                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 609250E7
                                                                                                            • sqlite3_value_text16.SQLITE3 ref: 60925100
                                                                                                            • sqlite3_value_text16.SQLITE3 ref: 6092512C
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6092513E
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_value_text16$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                            • String ID: library routine called out of sequence$out of memory
                                                                                                            • API String ID: 2019783549-3029887290
                                                                                                            • Opcode ID: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                                            • Instruction ID: f6310061860eb79c45c0a7b6efb00bde58ba827c5a391e7df96a4cb3fbc4cfa9
                                                                                                            • Opcode Fuzzy Hash: bf8b25fefa583efc99e02b0fe9019e927645d1a19242a42ec125398c6bed8d9e
                                                                                                            • Instruction Fuzzy Hash: 81014C70A083049BDB14AF69C9C170EBBE6BF64248F0488A9EC958F30EE775D8818B51
                                                                                                            Function 02B849F4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __init_pointers.LIBCMT ref: 02B849F4
                                                                                                              • Part of subcall function 02B870B0: RtlEncodePointer.NTDLL(00000000), ref: 02B870B3
                                                                                                              • Part of subcall function 02B870B0: __initp_misc_winsig.LIBCMT ref: 02B870CE
                                                                                                              • Part of subcall function 02B870B0: GetModuleHandleW.KERNEL32(kernel32.dll,?,02B9F248,00000008,00000003,02B9EC8C,?,00000001), ref: 02B87E33
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02B87E47
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02B87E5A
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02B87E6D
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02B87E80
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02B87E93
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02B87EA6
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02B87EB9
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02B87ECC
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02B87EDF
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02B87EF2
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02B87F05
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02B87F18
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02B87F2B
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02B87F3E
                                                                                                              • Part of subcall function 02B870B0: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02B87F51
                                                                                                            • __mtinitlocks.LIBCMT ref: 02B849F9
                                                                                                            • __mtterm.LIBCMT ref: 02B84A02
                                                                                                              • Part of subcall function 02B84A6A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02B874E6
                                                                                                              • Part of subcall function 02B84A6A: _free.LIBCMT ref: 02B874ED
                                                                                                              • Part of subcall function 02B84A6A: RtlDeleteCriticalSection.NTDLL(02BA1978), ref: 02B8750F
                                                                                                            • __calloc_crt.LIBCMT ref: 02B84A27
                                                                                                            • __initptd.LIBCMT ref: 02B84A49
                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02B84A50
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 3567560977-0
                                                                                                            • Opcode ID: e4d40d60fb8779842146a21c60a02ed670365a0d3a87c12aaa9e5657e8049447
                                                                                                            • Instruction ID: 8bc99271df8dbccd57dc105fd40672117bd6242345beda7ce9b594b165041c38
                                                                                                            • Opcode Fuzzy Hash: e4d40d60fb8779842146a21c60a02ed670365a0d3a87c12aaa9e5657e8049447
                                                                                                            • Instruction Fuzzy Hash: A9F06D3A5983125EE6647A78A80675A7AA2DB42778B304AD9E06CDA4D0FF308441EA94
                                                                                                            Function 02B824C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02B82473,00000000), ref: 02B824DB
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B824E2
                                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02B824EE
                                                                                                            • RtlDecodePointer.NTDLL(00000001), ref: 02B8250B
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                            • String ID: RoInitialize$combase.dll
                                                                                                            • API String ID: 3489934621-340411864
                                                                                                            • Opcode ID: 4c0c88b848700a8116ba1aef35b9bd6ed16dcd812b0a590832354937bd0b6b32
                                                                                                            • Instruction ID: c2879437a5df9419166eb7435093ad425bf5837f0bd1ecc542d71045b16a13a5
                                                                                                            • Opcode Fuzzy Hash: 4c0c88b848700a8116ba1aef35b9bd6ed16dcd812b0a590832354937bd0b6b32
                                                                                                            • Instruction Fuzzy Hash: 81E0E575AD0200EAEF312FB0ED4AB153AB8A7007C6F9048A0F106D7190CBF461A8AF24
                                                                                                            Function 02B82596 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02B824B0), ref: 02B825B0
                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02B825B7
                                                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 02B825C2
                                                                                                            • RtlDecodePointer.NTDLL(02B824B0), ref: 02B825DD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                            • String ID: RoUninitialize$combase.dll
                                                                                                            • API String ID: 3489934621-2819208100
                                                                                                            • Opcode ID: bd325b586b3a67a9d623be6e8b7d3272a761bcefa831b72a456a950e5b4ffd2b
                                                                                                            • Instruction ID: 6bf11b828f54bcc677b6242dd1d92e17c5c94c72bc98e6067a4e09e21e4d7f82
                                                                                                            • Opcode Fuzzy Hash: bd325b586b3a67a9d623be6e8b7d3272a761bcefa831b72a456a950e5b4ffd2b
                                                                                                            • Instruction Fuzzy Hash: 6DE092709C0200ABEA315F60AA2EB143BB8B704785F604C64F606A7195DBB890A49B14
                                                                                                            Function 02B80F30 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • TlsGetValue.KERNEL32(0000002B,4798DEFF,?,?,?,?,00000000,02B940D8,000000FF,02B811CA), ref: 02B80F6A
                                                                                                            • TlsSetValue.KERNEL32(0000002B,02B811CA,?,?,00000000), ref: 02B80FD7
                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02B81001
                                                                                                            • HeapFree.KERNEL32(00000000), ref: 02B81004
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: HeapValue$FreeProcess
                                                                                                            • String ID:
                                                                                                            • API String ID: 1812714009-0
                                                                                                            • Opcode ID: 0ce11291da7e1673d82c62d91cb917a194549eae1c65c466f08fd2f9fb254c27
                                                                                                            • Instruction ID: c1a3de5ba70e7bf49d28da57df6159874e3f8f1709f628f0815f1199eca1e44f
                                                                                                            • Opcode Fuzzy Hash: 0ce11291da7e1673d82c62d91cb917a194549eae1c65c466f08fd2f9fb254c27
                                                                                                            • Instruction Fuzzy Hash: 7E51F3319053849FDB20EF29C944B16BBE5FF447A4F098A98E86DEB280D731EC05CB91
                                                                                                            Function 02B92C90 Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _ValidateScopeTableHandlers.LIBCMT ref: 02B92DA0
                                                                                                            • __FindPESection.LIBCMT ref: 02B92DBA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: FindHandlersScopeSectionTableValidate
                                                                                                            • String ID:
                                                                                                            • API String ID: 876702719-0
                                                                                                            • Opcode ID: 98f4b24f8323bea549da372b01f62c1b608944f333a7f414ee17444f344f3e95
                                                                                                            • Instruction ID: 5c6944df9a2a18eb11106d8546687c5b534f6b8be71253cc8bc49cfca7dc4654
                                                                                                            • Opcode Fuzzy Hash: 98f4b24f8323bea549da372b01f62c1b608944f333a7f414ee17444f344f3e95
                                                                                                            • Instruction Fuzzy Hash: F3A1AE72E00615AFDF24CF18D980BA9B7B5FB48314F5886B9EC05AB351E730E941CBA0
                                                                                                            Function 60947378 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 292COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_free.SQLITE3(?), ref: 609476DD
                                                                                                              • Part of subcall function 60904423: sqlite3_mutex_leave.SQLITE3(6090449D,?,?,?,60908270), ref: 60904446
                                                                                                            • sqlite3_log.SQLITE3 ref: 609498F5
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_freesqlite3_logsqlite3_mutex_leave
                                                                                                            • String ID: List of tree roots: $d$|
                                                                                                            • API String ID: 3709608969-1164703836
                                                                                                            • Opcode ID: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                                                                            • Instruction ID: c91562837ba2d96ae21b52ab8334c840e7cbe23d8154f1acff92b465618a0bd4
                                                                                                            • Opcode Fuzzy Hash: 4de08d56d8a6e192ae2dda07a929c8b2a00a3f2e2d212eb9bfb53aebfe2a6bac
                                                                                                            • Instruction Fuzzy Hash: 3FE10570A043698BDB22CF18C88179DFBBABF65304F1185D9E858AB251D775DE81CF81
                                                                                                            Function 02B71C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02B71CB1
                                                                                                            • CloseHandle.KERNEL32(?), ref: 02B71CBA
                                                                                                            • InterlockedExchangeAdd.KERNEL32(02BA5264,00000000), ref: 02B71CC6
                                                                                                            • TerminateThread.KERNEL32(?,00000000), ref: 02B71CD4
                                                                                                            • QueueUserAPC.KERNEL32(02B71E7C,?,00000000), ref: 02B71CE1
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 02B71CEC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 1946104331-0
                                                                                                            • Opcode ID: 385db26416bd50695f6bdfd90a6295a6ddce986d7d76776c89aee835c458df4e
                                                                                                            • Instruction ID: 291378289a560776282831e218de87aa2d4bdf9108af03cf8a0a9ecd2758a1ea
                                                                                                            • Opcode Fuzzy Hash: 385db26416bd50695f6bdfd90a6295a6ddce986d7d76776c89aee835c458df4e
                                                                                                            • Instruction Fuzzy Hash: 64F0AF31990200BFE7315BAADE0DE5BBFBCEF857617404659F56A83190DB70A810CBB0
                                                                                                            Function 60960052 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 196COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6095FFB2: sqlite3_bind_int64.SQLITE3 ref: 6095FFFA
                                                                                                              • Part of subcall function 6095FFB2: sqlite3_step.SQLITE3 ref: 60960009
                                                                                                              • Part of subcall function 6095FFB2: sqlite3_reset.SQLITE3 ref: 60960019
                                                                                                              • Part of subcall function 6095FFB2: sqlite3_result_error_code.SQLITE3 ref: 60960043
                                                                                                            • sqlite3_column_int64.SQLITE3 ref: 609600BA
                                                                                                            • sqlite3_column_text.SQLITE3 ref: 609600EF
                                                                                                            • sqlite3_free.SQLITE3 ref: 6096029A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_bind_int64sqlite3_column_int64sqlite3_column_textsqlite3_freesqlite3_resetsqlite3_result_error_codesqlite3_step
                                                                                                            • String ID: e
                                                                                                            • API String ID: 786425071-4024072794
                                                                                                            • Opcode ID: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                                            • Instruction ID: e80500568aa73e744b5c90812a7938b6c4ac38b40afb48beb036dafaf3e7d002
                                                                                                            • Opcode Fuzzy Hash: 373422d03c3c71c2ddc35291c61dfb2213fd8f263c0b9a30c36f02d650250dc2
                                                                                                            • Instruction Fuzzy Hash: 6291E270A18609CFDB04CF99C494B9EBBF2BF98314F108529E869AB354D774E885CF91
                                                                                                            Function 609470DE Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_exec
                                                                                                            • String ID: sqlite_master$sqlite_temp_master$|
                                                                                                            • API String ID: 2141490097-2247242311
                                                                                                            • Opcode ID: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                                            • Instruction ID: 9143400cfb6dc20a8edc2ca7c04099347fc9d468871a1d2187ae3123f936d49a
                                                                                                            • Opcode Fuzzy Hash: 0e32379bf9c90bcee3e658b343db186d73978ee403121efd96d42beb4ff38922
                                                                                                            • Instruction Fuzzy Hash: C551B6B09083289BDB26CF18C885799BBFABF59304F108599E498A7351D775DA84CF41
                                                                                                            Function 02B80930 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • std::exception::exception.LIBCMT ref: 02B8097F
                                                                                                              • Part of subcall function 02B814D3: std::exception::_Copy_str.LIBCMT ref: 02B814EC
                                                                                                              • Part of subcall function 02B7FD50: __CxxThrowException@8.LIBCMT ref: 02B7FDAE
                                                                                                            • std::exception::exception.LIBCMT ref: 02B809DE
                                                                                                            Strings
                                                                                                            • $, xrefs: 02B809E3
                                                                                                            • boost unique_lock has no mutex, xrefs: 02B8096E
                                                                                                            • boost unique_lock owns already the mutex, xrefs: 02B809CD
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
                                                                                                            • String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
                                                                                                            • API String ID: 2140441600-46888669
                                                                                                            • Opcode ID: cba0b7cd8e90f52ffa7a8deeef151d1edbb3c911072ad529c0afbe8d48d95db7
                                                                                                            • Instruction ID: 995448ef27326bc55af9dbf5b2901108001d1d5761598f582b1c6a8ada83cb33
                                                                                                            • Opcode Fuzzy Hash: cba0b7cd8e90f52ffa7a8deeef151d1edbb3c911072ad529c0afbe8d48d95db7
                                                                                                            • Instruction Fuzzy Hash: F42106B15083909FD720EF28C55575BBBE9BB88B48F004DADF4A987290D7B59448CF92
                                                                                                            Function 02B72341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B72350
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B72360
                                                                                                            • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B72370
                                                                                                            • GetLastError.KERNEL32 ref: 02B7237A
                                                                                                              • Part of subcall function 02B71712: __EH_prolog.LIBCMT ref: 02B71717
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                            • String ID: pqcs
                                                                                                            • API String ID: 1619523792-2559862021
                                                                                                            • Opcode ID: 9474b04f6c4f17dcaf210c499419c834116ab63145cfc178100e0169c3eb81f7
                                                                                                            • Instruction ID: 28a9d989ecd8ac19ebb2e110ba065c2f18309339aac3e349577a2c679235e875
                                                                                                            • Opcode Fuzzy Hash: 9474b04f6c4f17dcaf210c499419c834116ab63145cfc178100e0169c3eb81f7
                                                                                                            • Instruction Fuzzy Hash: 40F0BEB1A80304AFDB30AFB49D0AFAB7BBCEF00245F4049A9E949C3100FB71D9148B90
                                                                                                            Function 02B74030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B74035
                                                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 02B74042
                                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02B74049
                                                                                                            • std::exception::exception.LIBCMT ref: 02B74063
                                                                                                              • Part of subcall function 02B796C6: __EH_prolog.LIBCMT ref: 02B796CB
                                                                                                              • Part of subcall function 02B796C6: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02B796DA
                                                                                                              • Part of subcall function 02B796C6: __CxxThrowException@8.LIBCMT ref: 02B796F9
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
                                                                                                            • String ID: bad allocation
                                                                                                            • API String ID: 3112922283-2104205924
                                                                                                            • Opcode ID: 0d05224b97379969cf0be075016b83e48338cf224fbe914b1c62b5be2a8edffb
                                                                                                            • Instruction ID: fd151272d0eaed80ee6fd943ef39843ba3cd913f30bae79b0063f5e6ec38366b
                                                                                                            • Opcode Fuzzy Hash: 0d05224b97379969cf0be075016b83e48338cf224fbe914b1c62b5be2a8edffb
                                                                                                            • Instruction Fuzzy Hash: 01F08C72E40249ABDF11EFE0C948BEFB7BCEB04301F0045E8E925A6280DB384219CF91
                                                                                                            Function 6094B137 Relevance: 7.7, APIs: 5, Instructions: 204COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 6090A0D5: sqlite3_free.SQLITE3 ref: 6090A118
                                                                                                            • sqlite3_malloc.SQLITE3 ref: 6094B1D1
                                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6094B24C
                                                                                                            • sqlite3_malloc.SQLITE3 ref: 6094B272
                                                                                                            • sqlite3_value_blob.SQLITE3 ref: 6094B298
                                                                                                            • sqlite3_free.SQLITE3 ref: 6094B2C8
                                                                                                              • Part of subcall function 6094A894: sqlite3_bind_int64.SQLITE3 ref: 6094A8C0
                                                                                                              • Part of subcall function 6094A894: sqlite3_step.SQLITE3 ref: 6094A8CE
                                                                                                              • Part of subcall function 6094A894: sqlite3_column_int64.SQLITE3 ref: 6094A8E9
                                                                                                              • Part of subcall function 6094A894: sqlite3_reset.SQLITE3 ref: 6094A90F
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_freesqlite3_malloc$sqlite3_bind_int64sqlite3_column_int64sqlite3_resetsqlite3_stepsqlite3_value_blobsqlite3_value_bytes
                                                                                                            • String ID:
                                                                                                            • API String ID: 683514883-0
                                                                                                            • Opcode ID: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                                                                            • Instruction ID: 83940ce9cf0a2bab7a741171fc95cc3a005d2848f59039768723a80715f2adcb
                                                                                                            • Opcode Fuzzy Hash: a6abbae8c6e8f2e89577a489a37bdbe998ef9662ada317e1813a59820f6ee2b0
                                                                                                            • Instruction Fuzzy Hash: E19133B1A052099FCB04CFA9D490B9EBBF6FF68314F108569E855AB341DB34ED81CB91
                                                                                                            Function 6093A1DD Relevance: 7.7, APIs: 5, Instructions: 157COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A200
                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A391
                                                                                                            • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,6093A8DF), ref: 6093A3A3
                                                                                                            • sqlite3_free.SQLITE3 ref: 6093A3BA
                                                                                                            • sqlite3_free.SQLITE3 ref: 6093A3C2
                                                                                                              • Part of subcall function 6093A0C5: sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                                              • Part of subcall function 6093A0C5: sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                                              • Part of subcall function 6093A0C5: sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                                              • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                                              • Part of subcall function 6093A0C5: sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_free$sqlite3_mutex_enter
                                                                                                            • String ID:
                                                                                                            • API String ID: 1903298374-0
                                                                                                            • Opcode ID: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                                            • Instruction ID: f6c450fbbadf2e04ab128defb7df19fdb2a161b4e6cf4e71623f80625393026f
                                                                                                            • Opcode Fuzzy Hash: 8530df85f137a660efabd51ca86f4821d2fdcc6d7a3fd2cfb4f5547b241dda56
                                                                                                            • Instruction Fuzzy Hash: EB513870A047218BDB58DF69C8C074AB7A6BF65318F05896CECA69B305D735EC41CF91
                                                                                                            Function 02B80C80 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 02B80A50: CloseHandle.KERNEL32(00000000,4798DEFF), ref: 02B80AA1
                                                                                                              • Part of subcall function 02B80A50: WaitForSingleObject.KERNEL32(?,000000FF,4798DEFF,?,?,?,?,4798DEFF,02B80A23,4798DEFF), ref: 02B80AB8
                                                                                                            • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02B80D1E
                                                                                                            • ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02B80D3E
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02B80D77
                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02B80DCB
                                                                                                            • SetEvent.KERNEL32(?), ref: 02B80DD2
                                                                                                              • Part of subcall function 02B7418C: CloseHandle.KERNEL32(00000000,?,02B80D05), ref: 02B741B0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 4166353394-0
                                                                                                            • Opcode ID: 20eacb3a0368fcf61270d8cbb169f2121e6c9d01de12968b461de7356cfc72eb
                                                                                                            • Instruction ID: e0b68f8faeac15ea66a7ee40dd44026b1d0d9cfaf1abc3e5716de6008c9c2a6e
                                                                                                            • Opcode Fuzzy Hash: 20eacb3a0368fcf61270d8cbb169f2121e6c9d01de12968b461de7356cfc72eb
                                                                                                            • Instruction Fuzzy Hash: 014104316403019FDB26BF28CC8072777A4EF453A4F144AA8EC1CEB285E736E815CB91
                                                                                                            Function 02B7207B Relevance: 7.6, APIs: 5, Instructions: 99timeCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B720AC
                                                                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02B720CD
                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02B720D8
                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 02B7213E
                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02B721A6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Interlocked$Exchange$DecrementTimerWaitable
                                                                                                            • String ID:
                                                                                                            • API String ID: 1611172436-0
                                                                                                            • Opcode ID: ab539c667da0a05619d331e9aee0111b22b172cd18fbccf4190597cc2ddf1fcd
                                                                                                            • Instruction ID: 488683e8dc64bf48976bdf988d487318d2f18014bef802ef4b194d64dd4cd8bd
                                                                                                            • Opcode Fuzzy Hash: ab539c667da0a05619d331e9aee0111b22b172cd18fbccf4190597cc2ddf1fcd
                                                                                                            • Instruction Fuzzy Hash: D4315A72544701AFC321DF29D884A6BBBF9FFC8654F000A6EF8A683650D730E546CBA1
                                                                                                            Function 6093A0C5 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 60904396: sqlite3_mutex_try.SQLITE3(?,?,?,60908235), ref: 609043B8
                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6093A114
                                                                                                            • sqlite3_mutex_free.SQLITE3 ref: 6093A152
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6093A162
                                                                                                            • sqlite3_free.SQLITE3 ref: 6093A1A4
                                                                                                            • sqlite3_free.SQLITE3 ref: 6093A1C3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                                                            • String ID:
                                                                                                            • API String ID: 1894464702-0
                                                                                                            • Opcode ID: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                                            • Instruction ID: 8ebadd1dc7ee404a0f141fd21885e91e0aa1156a5a6df10951b92a0b718128ce
                                                                                                            • Opcode Fuzzy Hash: 7188b9a67afd66d207271078c150a83da37f36a2752b1b5804700c826a798ba9
                                                                                                            • Instruction Fuzzy Hash: CF313C70B086118BDB18DF79C8C1A1A7BFBBFB2704F148468E8418B219EB35DC419F91
                                                                                                            Function 02B7D0F7 Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B7D0FC
                                                                                                              • Part of subcall function 02B71A01: TlsGetValue.KERNEL32 ref: 02B71A0A
                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02B7D17B
                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02B7D197
                                                                                                            • InterlockedIncrement.KERNEL32(02BA30F0), ref: 02B7D1BC
                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02B7D1D1
                                                                                                              • Part of subcall function 02B727F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02B7284E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
                                                                                                            • String ID:
                                                                                                            • API String ID: 1578506061-0
                                                                                                            • Opcode ID: dfb4eeb8c3d72091e0d634f8c8e568d6f80310fc99696445be06814e9f017b4d
                                                                                                            • Instruction ID: d598051442a1b7dfbdcf6fde47744871da97204262ad91fb4b9471abc7af6d74
                                                                                                            • Opcode Fuzzy Hash: dfb4eeb8c3d72091e0d634f8c8e568d6f80310fc99696445be06814e9f017b4d
                                                                                                            • Instruction Fuzzy Hash: 703116B1D013059FCB20DFA8C5446AABBF8FF08350F14459ED85AD7641E734AA54CFA0
                                                                                                            Function 6092535E Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 60925326: sqlite3_log.SQLITE3 ref: 60925352
                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,609254CC), ref: 6092538E
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 609253C4
                                                                                                            • sqlite3_log.SQLITE3 ref: 609253E2
                                                                                                            • sqlite3_log.SQLITE3 ref: 60925406
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 60925443
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_log$sqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                                            • String ID:
                                                                                                            • API String ID: 3336957480-0
                                                                                                            • Opcode ID: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                                            • Instruction ID: a100dd02d465b32589d57b5b9efe4db3cd483c3b5de54de748c9b161d5d001e2
                                                                                                            • Opcode Fuzzy Hash: 1198911827aa14b9fab328e6e7c73bc961b2278be0ca20fe6461460b1b30ceeb
                                                                                                            • Instruction Fuzzy Hash: D3315A70228704DBDB00EF28D49575ABBE6AFA1358F00886DE9948F36DD778C885DB02
                                                                                                            Function 60961389 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_result_blob.SQLITE3 ref: 609613D0
                                                                                                            • sqlite3_column_int.SQLITE3 ref: 6096143A
                                                                                                            • sqlite3_data_count.SQLITE3 ref: 60961465
                                                                                                            • sqlite3_column_value.SQLITE3 ref: 60961476
                                                                                                            • sqlite3_result_value.SQLITE3 ref: 60961482
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_column_intsqlite3_column_valuesqlite3_data_countsqlite3_result_blobsqlite3_result_value
                                                                                                            • String ID:
                                                                                                            • API String ID: 3091402450-0
                                                                                                            • Opcode ID: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                                            • Instruction ID: 8b12398a3b1f37ca0d2e1a8d549e1f0529ecbd38da511dd0edd3444da8e5cc4d
                                                                                                            • Opcode Fuzzy Hash: 15f5c91e7d752206cb5be57281081ebbda5684d1dfb7c3b21a78c03d1c189b87
                                                                                                            • Instruction Fuzzy Hash: 72314DB19082058FDB00DF29C48064EB7F6FF65354F19856AE8999B361EB34E886CF81
                                                                                                            Function 02B729EE Relevance: 7.6, APIs: 5, Instructions: 79networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B72A3B
                                                                                                            • closesocket.WS2_32 ref: 02B72A42
                                                                                                            • ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02B72A89
                                                                                                            • WSASetLastError.WS2_32(00000000,?,8004667E,00000000), ref: 02B72A97
                                                                                                            • closesocket.WS2_32 ref: 02B72A9E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastclosesocket$ioctlsocket
                                                                                                            • String ID:
                                                                                                            • API String ID: 1561005644-0
                                                                                                            • Opcode ID: a884cf0a8ad85b066299450fc9834700f226951c153ea5a73787a6e556a1b56c
                                                                                                            • Instruction ID: d1315e742fac876fcc766756c1179424b5c95e858d37fb5fefda3eb6c451fa7c
                                                                                                            • Opcode Fuzzy Hash: a884cf0a8ad85b066299450fc9834700f226951c153ea5a73787a6e556a1b56c
                                                                                                            • Instruction Fuzzy Hash: A821F575E00305ABEB21AFB8994476E77F9EF44355F2149AAE875C3281EB7089408B60
                                                                                                            Function 60939097 Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                                            • String ID:
                                                                                                            • API String ID: 251237202-0
                                                                                                            • Opcode ID: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                                            • Instruction ID: 8e14962182cb4ba31828fc05f1b37fa5954e33605a362b2e641de35f96add61e
                                                                                                            • Opcode Fuzzy Hash: ee0aefbaff40cad113deb2524f723b57adfc4224f15c8691f87345bc20e459c1
                                                                                                            • Instruction Fuzzy Hash: 022137B46087158BC709AF68C48570ABBF6FFA5318F10895DEC958B345DB74E940CB82
                                                                                                            Function 6091A2E8 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_aggregate_context.SQLITE3 ref: 6091A31E
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A349
                                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A356
                                                                                                            • sqlite3_value_text.SQLITE3 ref: 6091A37B
                                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A387
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_value_bytessqlite3_value_text$sqlite3_aggregate_context
                                                                                                            • String ID:
                                                                                                            • API String ID: 4225432645-0
                                                                                                            • Opcode ID: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                                            • Instruction ID: 24a20a1669ecabf1c8c9e0f75de4e20f6480f0c3e20d7f4799920e66bb4c3c2a
                                                                                                            • Opcode Fuzzy Hash: e7dd5294350f58c57afd4f2551108a775ab72f2657aaaf635efeb712e258985e
                                                                                                            • Instruction Fuzzy Hash: 3F21CF71B086588FDB009F29C48075E7BE7AFA4254F0484A8E894CF305EB34DC86CB91
                                                                                                            Function 02B8E894 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _malloc.LIBCMT ref: 02B8E8A0
                                                                                                              • Part of subcall function 02B81FAC: __FF_MSGBANNER.LIBCMT ref: 02B81FC3
                                                                                                              • Part of subcall function 02B81FAC: __NMSG_WRITE.LIBCMT ref: 02B81FCA
                                                                                                              • Part of subcall function 02B81FAC: RtlAllocateHeap.NTDLL(00850000,00000000,00000001), ref: 02B81FEF
                                                                                                            • _free.LIBCMT ref: 02B8E8B3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateHeap_free_malloc
                                                                                                            • String ID:
                                                                                                            • API String ID: 1020059152-0
                                                                                                            • Opcode ID: 6833d0b55764df21a50b648bc820156fd137e690a6d3f910299ffa6355e4853a
                                                                                                            • Instruction ID: bfad5a0442af4531ff592cb29732e2cee627840f7e5b4e5297374d4cbe400d61
                                                                                                            • Opcode Fuzzy Hash: 6833d0b55764df21a50b648bc820156fd137e690a6d3f910299ffa6355e4853a
                                                                                                            • Instruction Fuzzy Hash: C311A032C45216AFCF613B74E848B9E37A9EF153A0B1049A5FA1D9B190DBB4D450CAD4
                                                                                                            Function 02B721D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B721DA
                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02B721ED
                                                                                                            • TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02B72224
                                                                                                            • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02B72237
                                                                                                            • TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02B72261
                                                                                                              • Part of subcall function 02B72341: InterlockedExchange.KERNEL32(?,00000001), ref: 02B72350
                                                                                                              • Part of subcall function 02B72341: InterlockedExchange.KERNEL32(?,00000001), ref: 02B72360
                                                                                                              • Part of subcall function 02B72341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B72370
                                                                                                              • Part of subcall function 02B72341: GetLastError.KERNEL32 ref: 02B7237A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 1856819132-0
                                                                                                            • Opcode ID: 87be63fbfc7b236e516d8db5efea004bb6a7f9d7f73a08dd4f93ea7e7fef86fb
                                                                                                            • Instruction ID: a5775d8d5aed3ed866e802bb959e72bb4d7078c9ea4c32feee01dd7d93d34c14
                                                                                                            • Opcode Fuzzy Hash: 87be63fbfc7b236e516d8db5efea004bb6a7f9d7f73a08dd4f93ea7e7fef86fb
                                                                                                            • Instruction Fuzzy Hash: B6118E72D40214EFCF21AFA4D9046AEBBBAFF54350F1045AAED65A3260D7318A61CF90
                                                                                                            Function 02B72298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B7229D
                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02B722B0
                                                                                                            • TlsGetValue.KERNEL32 ref: 02B722E7
                                                                                                            • TlsSetValue.KERNEL32(?), ref: 02B72300
                                                                                                            • TlsSetValue.KERNEL32(?,?,?), ref: 02B7231C
                                                                                                              • Part of subcall function 02B72341: InterlockedExchange.KERNEL32(?,00000001), ref: 02B72350
                                                                                                              • Part of subcall function 02B72341: InterlockedExchange.KERNEL32(?,00000001), ref: 02B72360
                                                                                                              • Part of subcall function 02B72341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02B72370
                                                                                                              • Part of subcall function 02B72341: GetLastError.KERNEL32 ref: 02B7237A
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 1856819132-0
                                                                                                            • Opcode ID: 05a63923b39358a204e118dc5e14dac8b38c628c68124fa518e807ec45bd713d
                                                                                                            • Instruction ID: f1f9709acf080a53bfeda486c591ed902ed37351c011ba0e37d98708961c039e
                                                                                                            • Opcode Fuzzy Hash: 05a63923b39358a204e118dc5e14dac8b38c628c68124fa518e807ec45bd713d
                                                                                                            • Instruction Fuzzy Hash: 9E113D72D40219EFCB12AFA5D8446AEBFBAFF44350F1085AAEC15A3220D7714A61DF90
                                                                                                            Function 02B7AD0E Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 02B7A161: __EH_prolog.LIBCMT ref: 02B7A166
                                                                                                            • __CxxThrowException@8.LIBCMT ref: 02B7AD2B
                                                                                                              • Part of subcall function 02B831BA: RaiseException.KERNEL32(?,?,02B7EB5E,?,?,?,?,?,?,?,02B7EB5E,?,02B9ECA8,?), ref: 02B8320F
                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,02B9FA1C,?,00000001), ref: 02B7AD41
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B7AD54
                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,02B9FA1C,?,00000001), ref: 02B7AD64
                                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02B7AD72
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
                                                                                                            • String ID:
                                                                                                            • API String ID: 2725315915-0
                                                                                                            • Opcode ID: da4064e23c47285dc09024f6a22af19c949e28019d90879119c4b6cdbf3fce15
                                                                                                            • Instruction ID: ac06d2fb136d9d8f997320738615f7e5ab777c05a96a7d024c9d9129b48c820c
                                                                                                            • Opcode Fuzzy Hash: da4064e23c47285dc09024f6a22af19c949e28019d90879119c4b6cdbf3fce15
                                                                                                            • Instruction Fuzzy Hash: 7B01F972A40204AFDB20AFA0DCC9F8A77BDEF04BA5F408454F626D7190DB60E814CB50
                                                                                                            Function 02B72420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02B72432
                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02B72445
                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02B72454
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B72469
                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02B72470
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 747265849-0
                                                                                                            • Opcode ID: fc503bf9c012d502d05c0532f0908064c7849110fe966dbb4976f7f99d81f7a5
                                                                                                            • Instruction ID: f6f97d13cde604dc8a261c672db6c88e3977f1c338d4f230354d20be2470248d
                                                                                                            • Opcode Fuzzy Hash: fc503bf9c012d502d05c0532f0908064c7849110fe966dbb4976f7f99d81f7a5
                                                                                                            • Instruction Fuzzy Hash: 58F01D72680604BBD6119AA0EE49FD6772CFF44751FC04421F705D7580D761A564CBE4
                                                                                                            Function 02B71EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 02B71ED2
                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02B71EEA
                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02B71EF9
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B71F0E
                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02B71F15
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 830998967-0
                                                                                                            • Opcode ID: 7c6d44531edaa666d428891561080753d14bb2bc65b0141aff99a3ef40a6c7e7
                                                                                                            • Instruction ID: c5ccc443b610bf3a8247b628b9c61e827160d53cfe807600ba2debf2741cdac1
                                                                                                            • Opcode Fuzzy Hash: 7c6d44531edaa666d428891561080753d14bb2bc65b0141aff99a3ef40a6c7e7
                                                                                                            • Instruction Fuzzy Hash: DCF01772680608BBD712AFA1EE89FC6BB6CFF04395F800416F60587441D761A565CBE0
                                                                                                            Function 609441F6 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 262COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_log
                                                                                                            • String ID: ($string or blob too big$|
                                                                                                            • API String ID: 632333372-2398534278
                                                                                                            • Opcode ID: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                                            • Instruction ID: 3c3a64a58f66130c0c9aec06ea77be0954bd7b4098f3428da06b6372deec6608
                                                                                                            • Opcode Fuzzy Hash: 03236f3895d5fd10e60d1ff1eefb6ed02231b27a1c47450c0fb49d2dd58edd91
                                                                                                            • Instruction Fuzzy Hash: 5DC10CB5A043288FCB66CF28C981789B7BABB59304F1085D9E958A7345C775EF81CF40
                                                                                                            Function 02B7774A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: _memmove
                                                                                                            • String ID: invalid string position$string too long
                                                                                                            • API String ID: 4104443479-4289949731
                                                                                                            • Opcode ID: d9a020292da9d4b27868da5d387a7c0952246d9797cc99ed6d4dc54b5a10d98f
                                                                                                            • Instruction ID: f39b994f8b8143051551a3d8f88132924060188cd95b6b0f92f1fdb6f871b605
                                                                                                            • Opcode Fuzzy Hash: d9a020292da9d4b27868da5d387a7c0952246d9797cc99ed6d4dc54b5a10d98f
                                                                                                            • Instruction Fuzzy Hash: C341A4317003049BDB34DE69D884A6AFBAAEF41754B1009ADE876CB391DF70E844DB91
                                                                                                            Function 02B730AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSASetLastError.WS2_32(00000000), ref: 02B730C3
                                                                                                            • WSAStringToAddressA.WS2_32(?,?,00000000,?,?), ref: 02B73102
                                                                                                            • _memcmp.LIBCMT ref: 02B73141
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AddressErrorLastString_memcmp
                                                                                                            • String ID: 255.255.255.255
                                                                                                            • API String ID: 1618111833-2422070025
                                                                                                            • Opcode ID: 88b4b6f98f89cc33a530b06583c89ae8df53fd05a2aa8f481ece12c222df169a
                                                                                                            • Instruction ID: 0f10cc91d5a0c9d19491b3475c156c73ad800d5667af2d7b8bc58be603a59933
                                                                                                            • Opcode Fuzzy Hash: 88b4b6f98f89cc33a530b06583c89ae8df53fd05a2aa8f481ece12c222df169a
                                                                                                            • Instruction Fuzzy Hash: F8319371A003159FDB209F74C89076EB7E5EF45364F2085E9E87597780DB729981CF90
                                                                                                            Function 6096D170 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: Virtual$Protect$Query
                                                                                                            • String ID: @
                                                                                                            • API String ID: 3618607426-2766056989
                                                                                                            • Opcode ID: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                                            • Instruction ID: 11fd3fd6c91f2e29dbdaed7331fdf7a08ef8f1da01c53322037319a40d79a89e
                                                                                                            • Opcode Fuzzy Hash: a11a59528d98c4ff7ad69dfbc7d520f68a8f714e9ef4c31244658d91e7757f1c
                                                                                                            • Instruction Fuzzy Hash: 003141B5E15208AFEB14DFA9D48158EFFF5EF99254F10852AE868E3310E371D940CB52
                                                                                                            Function 60928335 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_malloc.SQLITE3 ref: 60928353
                                                                                                              • Part of subcall function 60916FBA: sqlite3_initialize.SQLITE3(60912743,?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5), ref: 60916FC4
                                                                                                            • sqlite3_realloc.SQLITE3 ref: 609283A0
                                                                                                            • sqlite3_free.SQLITE3 ref: 609283B6
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                                                            • String ID: d
                                                                                                            • API String ID: 211589378-2564639436
                                                                                                            • Opcode ID: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                                            • Instruction ID: 0830c2115c9ea807631a831f7f1165b0ee40d8a8a94356aa67113494a68d5982
                                                                                                            • Opcode Fuzzy Hash: 4c34ce46e3d0a3d1d3def0d8ad382c8948c40f702370fc4fcdce263753dde11a
                                                                                                            • Instruction Fuzzy Hash: 222137B0A04205CFDB14DF59D4C078ABBF6FF69314F158469D8889B309E3B8E841CBA1
                                                                                                            Function 02B71F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B71F5B
                                                                                                            • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02B71FC5
                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 02B71FD2
                                                                                                              • Part of subcall function 02B71712: __EH_prolog.LIBCMT ref: 02B71717
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog$CompletionCreateErrorLastPort
                                                                                                            • String ID: iocp
                                                                                                            • API String ID: 998023749-976528080
                                                                                                            • Opcode ID: 8b10c3c6a17d94a6917fb18912180f8be228c94d786af772759bd4412b71d65d
                                                                                                            • Instruction ID: efa7bfde066a827369798c0634e046d2798ed1774d02ac300ca384fa7a431618
                                                                                                            • Opcode Fuzzy Hash: 8b10c3c6a17d94a6917fb18912180f8be228c94d786af772759bd4412b71d65d
                                                                                                            • Instruction Fuzzy Hash: 6421B4B1901B449FCB20DF6AD50455BFBF8FF95720B108A5FD4A687A50D7B0A604CF91
                                                                                                            Function 02B827B5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _malloc.LIBCMT ref: 02B827CD
                                                                                                              • Part of subcall function 02B81FAC: __FF_MSGBANNER.LIBCMT ref: 02B81FC3
                                                                                                              • Part of subcall function 02B81FAC: __NMSG_WRITE.LIBCMT ref: 02B81FCA
                                                                                                              • Part of subcall function 02B81FAC: RtlAllocateHeap.NTDLL(00850000,00000000,00000001), ref: 02B81FEF
                                                                                                            • std::exception::exception.LIBCMT ref: 02B827EB
                                                                                                            • __CxxThrowException@8.LIBCMT ref: 02B82800
                                                                                                              • Part of subcall function 02B831BA: RaiseException.KERNEL32(?,?,02B7EB5E,?,?,?,?,?,?,?,02B7EB5E,?,02B9ECA8,?), ref: 02B8320F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                                                                                            • String ID: bad allocation
                                                                                                            • API String ID: 3074076210-2104205924
                                                                                                            • Opcode ID: 088eccab3759bf78da5d81966b2dbd1946782ea609bbb7f2177b9ef2550c6407
                                                                                                            • Instruction ID: ac1db2ebca786b704f6fa67f4f90979b59c7ca6da7835b8b4fa6a27bcd30f696
                                                                                                            • Opcode Fuzzy Hash: 088eccab3759bf78da5d81966b2dbd1946782ea609bbb7f2177b9ef2550c6407
                                                                                                            • Instruction Fuzzy Hash: BEE0397990120AAADF00BF65CD409AF77AEAB00615F1044E6EC18A6690EF718A54CAA1
                                                                                                            Function 02B737B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B737B6
                                                                                                            • __localtime64.LIBCMT ref: 02B737C1
                                                                                                              • Part of subcall function 02B81600: __gmtime64_s.LIBCMT ref: 02B81613
                                                                                                            • std::exception::exception.LIBCMT ref: 02B737D9
                                                                                                              • Part of subcall function 02B814D3: std::exception::_Copy_str.LIBCMT ref: 02B814EC
                                                                                                              • Part of subcall function 02B79524: __EH_prolog.LIBCMT ref: 02B79529
                                                                                                              • Part of subcall function 02B79524: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02B79538
                                                                                                              • Part of subcall function 02B79524: __CxxThrowException@8.LIBCMT ref: 02B79557
                                                                                                            Strings
                                                                                                            • could not convert calendar time to UTC time, xrefs: 02B737CE
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
                                                                                                            • String ID: could not convert calendar time to UTC time
                                                                                                            • API String ID: 1963798777-2088861013
                                                                                                            • Opcode ID: e9d0c1e3ae7200b140916649b391c79fef5b0d49193159cf7243c2fc851d1861
                                                                                                            • Instruction ID: 6ef11bb3d6511d11ee00e4fbcb11df662fceccfe08e2cebe5e7d0132c521565b
                                                                                                            • Opcode Fuzzy Hash: e9d0c1e3ae7200b140916649b391c79fef5b0d49193159cf7243c2fc851d1861
                                                                                                            • Instruction Fuzzy Hash: 3CE06DB2D0121E9BDF00FF94D8407EFB7BDEB04340F0045E9D829A2140DB358616CE80
                                                                                                            Function 60901184 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                            • String ID: _Jv_RegisterClasses$libgcj-11.dll
                                                                                                            • API String ID: 1646373207-2713375476
                                                                                                            • Opcode ID: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                                            • Instruction ID: e6822cb61b404b68644b44a252d8259deade1a358cfa59fcc717d95409d4d83a
                                                                                                            • Opcode Fuzzy Hash: 84d528d321f1eea6d8a1b68cb749bb1a2441192a5c5952381cf667fabd413772
                                                                                                            • Instruction Fuzzy Hash: 0DE04F7062D30586FB443F794D923297AEB5F72549F00081CD9929B240EBB4D440D753
                                                                                                            Function 02B89C89 Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AdjustPointer_memmove
                                                                                                            • String ID:
                                                                                                            • API String ID: 1721217611-0
                                                                                                            • Opcode ID: 88aa441aec1506f79354f0f693d15a28c0d260cc3c159bcfb3e027206d371c09
                                                                                                            • Instruction ID: 3fc49a245eb9969c9a78cf5f371c017bb835593f4a8655316706279412fc8dec
                                                                                                            • Opcode Fuzzy Hash: 88aa441aec1506f79354f0f693d15a28c0d260cc3c159bcfb3e027206d371c09
                                                                                                            • Instruction Fuzzy Hash: 22419536204B439EEF247E65E981B767BA6DF05315F2400DDF95C8AAD1EB72E484CB10
                                                                                                            Function 02B80320 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02B74149), ref: 02B803BF
                                                                                                              • Part of subcall function 02B73FDC: __EH_prolog.LIBCMT ref: 02B73FE1
                                                                                                              • Part of subcall function 02B73FDC: CreateEventA.KERNEL32(00000000,?,?,00000000), ref: 02B73FF3
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B803B4
                                                                                                            • CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02B74149), ref: 02B80400
                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02B74149), ref: 02B804D1
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$Event$CreateH_prolog
                                                                                                            • String ID:
                                                                                                            • API String ID: 2825413587-0
                                                                                                            • Opcode ID: 2424f7d2167a14a0ec93b6ed4eba83fd2cf898cb78a50daab204171333d6c1a7
                                                                                                            • Instruction ID: 5b2a6c60673f1eb009d6c3476de19b95c31fb868e6a7faa861b34ab4d094f6e2
                                                                                                            • Opcode Fuzzy Hash: 2424f7d2167a14a0ec93b6ed4eba83fd2cf898cb78a50daab204171333d6c1a7
                                                                                                            • Instruction Fuzzy Hash: 5951BE716043458BDB21FF28C88475A77E5FF483A8F194AA8EC6DA7390D735D809CB91
                                                                                                            Function 02B8E2A5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02B8E2DB
                                                                                                            • __isleadbyte_l.LIBCMT ref: 02B8E309
                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,00000000,00000000,?,?,?), ref: 02B8E337
                                                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,00000000,00000000,?,?,?), ref: 02B8E36D
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                            • String ID:
                                                                                                            • API String ID: 3058430110-0
                                                                                                            • Opcode ID: 6a2301486d0040800edb428b0378c56194e344763eef6513b5ff57a005308589
                                                                                                            • Instruction ID: 22394b781076299ec3437a1a7b8a951c27533cc360a56965398cb278b064a79d
                                                                                                            • Opcode Fuzzy Hash: 6a2301486d0040800edb428b0378c56194e344763eef6513b5ff57a005308589
                                                                                                            • Instruction Fuzzy Hash: 4E31E130600256EFDB22AF75C844BBA7BBAFF41314F0584A9F8689B1A0D730D850CB51
                                                                                                            Function 609292DA Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_freesqlite3_mallocsqlite3_value_bytessqlite3_value_text
                                                                                                            • String ID:
                                                                                                            • API String ID: 1648232842-0
                                                                                                            • Opcode ID: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                                            • Instruction ID: a01add595a6c287de5924383f0ed77e5cc34082cd65fcd393cbe5beac3228527
                                                                                                            • Opcode Fuzzy Hash: 6f401334500cf3ce8937f97dce09bc9131fc1f686c7391f4db805f1c2cabf22c
                                                                                                            • Instruction Fuzzy Hash: 4531C0B4A042058FDB04DF29C094B5ABBE2FF98354F1484A9EC498F349D779E846CBA0
                                                                                                            Function 60961492 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_step.SQLITE3 ref: 609614AB
                                                                                                            • sqlite3_reset.SQLITE3 ref: 609614BF
                                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_enter.SQLITE3 ref: 60941C58
                                                                                                              • Part of subcall function 60941C40: sqlite3_mutex_leave.SQLITE3 ref: 60941CBE
                                                                                                            • sqlite3_column_int64.SQLITE3 ref: 609614D4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_column_int64sqlite3_mutex_entersqlite3_mutex_leavesqlite3_resetsqlite3_step
                                                                                                            • String ID:
                                                                                                            • API String ID: 3429445273-0
                                                                                                            • Opcode ID: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                                            • Instruction ID: 62863439de2fabb71fd3664abc4fbfc11ff04353a6e6e3e42574d1c19fb7889d
                                                                                                            • Opcode Fuzzy Hash: 44b7ea0f60ccad0bdb665534712f35195a3185c30aa33eaed9220a178cd48643
                                                                                                            • Instruction Fuzzy Hash: AE316470A183408BEF15CF69C1C5749FBA6AFA7348F188599DC864F30AD375D884C752
                                                                                                            Function 02B73D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • htons.WS2_32(?), ref: 02B73DA2
                                                                                                              • Part of subcall function 02B73BD3: __EH_prolog.LIBCMT ref: 02B73BD8
                                                                                                              • Part of subcall function 02B73BD3: std::bad_exception::bad_exception.LIBCMT ref: 02B73BED
                                                                                                            • htonl.WS2_32(00000000), ref: 02B73DB9
                                                                                                            • htonl.WS2_32(00000000), ref: 02B73DC0
                                                                                                            • htons.WS2_32(?), ref: 02B73DD4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
                                                                                                            • String ID:
                                                                                                            • API String ID: 3882411702-0
                                                                                                            • Opcode ID: e1938114ab7d4c6952fa5e343d87ced810df5a330041b8df5c87d1edba743802
                                                                                                            • Instruction ID: b1034efed1b95f923b7972553951163557460c1244033382a8274b472bf2ff2e
                                                                                                            • Opcode Fuzzy Hash: e1938114ab7d4c6952fa5e343d87ced810df5a330041b8df5c87d1edba743802
                                                                                                            • Instruction Fuzzy Hash: ED118E76A40319EFCF119F64D985A9AB7B9FF08310F008496FC04DF251D7729A54DBA1
                                                                                                            Function 609034B2 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 609034D8
                                                                                                            • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903521
                                                                                                            • sqlite3_mutex_enter.SQLITE3(-00000200,?,?,6090B22B), ref: 6090354A
                                                                                                            • sqlite3_mutex_leave.SQLITE3(-00000200,?,?,6090B22B), ref: 60903563
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                            • String ID:
                                                                                                            • API String ID: 1477753154-0
                                                                                                            • Opcode ID: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                                            • Instruction ID: 848dca46e936c6e01d33e08870ae11aa620bd8b24bdb606da7ea596206f2e213
                                                                                                            • Opcode Fuzzy Hash: cc0b0c4414a91b2c8747a1fff16426ed14613a144e31e5ae299e51467139190c
                                                                                                            • Instruction Fuzzy Hash: 44111F726186218FDB00EF7DC8817597FEAFB66308F00842DE865E7362E779D8819741
                                                                                                            Function 02B7239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000), ref: 02B723D0
                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02B723DE
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B72401
                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02B72408
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 4018804020-0
                                                                                                            • Opcode ID: 1784275c83bb6a00f9af8f045e226e1de4e8cdec83ae14015df12759a510351f
                                                                                                            • Instruction ID: 12988c0914088cf899265740dbcd6583f36961fc276f67293757f1a314ffa784
                                                                                                            • Opcode Fuzzy Hash: 1784275c83bb6a00f9af8f045e226e1de4e8cdec83ae14015df12759a510351f
                                                                                                            • Instruction Fuzzy Hash: F511E131640308AFEB219F60D984BAABBB8FF40748F5044ADFA019B140D7B1F851CBA0
                                                                                                            Function 02B8A0DB Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                            • String ID:
                                                                                                            • API String ID: 3016257755-0
                                                                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                            • Instruction ID: e1608ff869193820dcf79d8bca692e84e8eabdf5d53619faff6e3514c924fb3c
                                                                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                            • Instruction Fuzzy Hash: 9901197640014ABBCF127E98CC518EE3F67FB1A354B498496FA2C99131D336D9B1EB81
                                                                                                            Function 02B895CD Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • ___BuildCatchObject.LIBCMT ref: 02B895E4
                                                                                                              • Part of subcall function 02B89BFB: ___AdjustPointer.LIBCMT ref: 02B89C44
                                                                                                            • _UnwindNestedFrames.LIBCMT ref: 02B895FB
                                                                                                            • ___FrameUnwindToState.LIBCMT ref: 02B8960D
                                                                                                            • CallCatchBlock.LIBCMT ref: 02B89631
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                                                                                            • String ID:
                                                                                                            • API String ID: 2633735394-0
                                                                                                            • Opcode ID: 713256ae837dbe65801958c0297b5b5fc49ecbb291bb0655e55bccd4794a1f23
                                                                                                            • Instruction ID: 165ab6e48a9f3e301675e2d4487cbe9a6225b996f56a4b1627d26a0b77663ef6
                                                                                                            • Opcode Fuzzy Hash: 713256ae837dbe65801958c0297b5b5fc49ecbb291bb0655e55bccd4794a1f23
                                                                                                            • Instruction Fuzzy Hash: AC01D332000509BBCF12AF95CC40EEA3BAAEF88754F058495FE5C66221D732E961DFA0
                                                                                                            Function 6092A43E Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                                              • Part of subcall function 60912453: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,609129E5,?), ref: 609124D1
                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                                            • sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_mutex_enter$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_leave
                                                                                                            • String ID:
                                                                                                            • API String ID: 2673540737-0
                                                                                                            • Opcode ID: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                                            • Instruction ID: c4988029ba64cfb2248a7cf0c790324acf4c13eb0f9cd3f15fdedc175ef3c91a
                                                                                                            • Opcode Fuzzy Hash: 58333c90df1895ca2798dafcbab41657529afc007f85020e925d8580cfdcdfcb
                                                                                                            • Instruction Fuzzy Hash: F9019276E143148BCB00EF79D88561ABFE7FBA5324F008528EC9497364E735DC408B81
                                                                                                            Function 6092A3C4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_value_text$sqlite3_freesqlite3_load_extension
                                                                                                            • String ID:
                                                                                                            • API String ID: 3526213481-0
                                                                                                            • Opcode ID: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                                            • Instruction ID: 98199466554994e62e20ad809be6129e3c08b78dd6d8c38fc18f61524e73aad2
                                                                                                            • Opcode Fuzzy Hash: e69664dddad2286ff6ed0cb1f1c7a121e5262b7aa8061cf10291ac83704fea4b
                                                                                                            • Instruction Fuzzy Hash: 4101E9B5A043059BCB00EF69D485AAFBBF5EF68654F10C529EC9497304E774D841CF91
                                                                                                            Function 60969133 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_prepare.SQLITE3 ref: 60969166
                                                                                                            • sqlite3_errmsg.SQLITE3 ref: 60969172
                                                                                                              • Part of subcall function 609258A8: sqlite3_log.SQLITE3 ref: 609258E5
                                                                                                            • sqlite3_errcode.SQLITE3 ref: 6096918A
                                                                                                              • Part of subcall function 609251AA: sqlite3_log.SQLITE3 ref: 609251E8
                                                                                                            • sqlite3_step.SQLITE3 ref: 60969197
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_log$sqlite3_errcodesqlite3_errmsgsqlite3_preparesqlite3_step
                                                                                                            • String ID:
                                                                                                            • API String ID: 2877408194-0
                                                                                                            • Opcode ID: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                                            • Instruction ID: d4ebd4c9a05a553e526e78eaaf80584f3afcfe73b3175c4c6dada352db343273
                                                                                                            • Opcode Fuzzy Hash: 06185e76a961c89383dca1620ea17d5683e825aa4cba78efc797247d66345ea8
                                                                                                            • Instruction Fuzzy Hash: 9F0186B091C3059BE700EF29C88525DFBE9EFA5314F11892DA89987384E734C940CB86
                                                                                                            Function 02B7247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02B724A9
                                                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 02B724B8
                                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02B724CD
                                                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 02B724D4
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
                                                                                                            • String ID:
                                                                                                            • API String ID: 4018804020-0
                                                                                                            • Opcode ID: ba8111eb81fbc05030980e862ea63dac9c4a17af6e40175e29d50ff412d24dbd
                                                                                                            • Instruction ID: 43ed54f7239fa9fe05f263380558bf09cb5acd76fb9e84b83b0afc8173ad68bc
                                                                                                            • Opcode Fuzzy Hash: ba8111eb81fbc05030980e862ea63dac9c4a17af6e40175e29d50ff412d24dbd
                                                                                                            • Instruction Fuzzy Hash: 9CF03C72640204AFD7019F65ED55F9ABBACFF44751F404429FA18C7145D771E560CFA0
                                                                                                            Function 609084D1 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 609084E9
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 60908518
                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 60908528
                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 6090855B
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                            • String ID:
                                                                                                            • API String ID: 1477753154-0
                                                                                                            • Opcode ID: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                                            • Instruction ID: c41a4d3f3efa942db11cbd34a9101edfe28f26dd6f673ba1da0d5803e4a0adbd
                                                                                                            • Opcode Fuzzy Hash: dbb0a767127359d75753d9f151f7b9e03affe710ab86404e29d94d971225fba8
                                                                                                            • Instruction Fuzzy Hash: FD01A4B05093048BDB40AF25C5D97CABBA5EF15718F0884BDEC894F34AD7B9D5448BA1
                                                                                                            Function 02B72004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B72009
                                                                                                            • RtlDeleteCriticalSection.NTDLL(?), ref: 02B72028
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B72037
                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02B7204E
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: CloseHandle$CriticalDeleteH_prologSection
                                                                                                            • String ID:
                                                                                                            • API String ID: 2456309408-0
                                                                                                            • Opcode ID: ec31aaf6228200a4297d09ef876041d343b4f4ad20401114628285d41279f96e
                                                                                                            • Instruction ID: 6b456cec45d5f3684f5e7c65e622951465c37d2a5eabbaa5fbc92f9104b26a68
                                                                                                            • Opcode Fuzzy Hash: ec31aaf6228200a4297d09ef876041d343b4f4ad20401114628285d41279f96e
                                                                                                            • Instruction Fuzzy Hash: 6B018171840B049FC739AF54E908B9AB7F6FF05308F004AAEE85693590C770A554CFA4
                                                                                                            Function 02B71E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Event$H_prologSleep
                                                                                                            • String ID:
                                                                                                            • API String ID: 1765829285-0
                                                                                                            • Opcode ID: 829940b67d1c7bfb38ab72bee03451e0f5cf880989df4531ab7fcb11b5e1d64e
                                                                                                            • Instruction ID: 43a3026c1e344336339862a6344a8328089c84273b36487af9eadd59aef4ff0c
                                                                                                            • Opcode Fuzzy Hash: 829940b67d1c7bfb38ab72bee03451e0f5cf880989df4531ab7fcb11b5e1d64e
                                                                                                            • Instruction Fuzzy Hash: 4EF03A36A81110EFCB109F94D988B98BBA4FF09351F5481A9F91A9B290C7359850CBA5
                                                                                                            Function 609481BF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_log
                                                                                                            • String ID: into$out of
                                                                                                            • API String ID: 632333372-1114767565
                                                                                                            • Opcode ID: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                                            • Instruction ID: de20b162988cb891a2f8fbcf22309076e3e21d241eadb06c465d82de9f0e8d92
                                                                                                            • Opcode Fuzzy Hash: 05e60a680804dc8d75cc30d301a58b6784d3cbcabfb13c7dcba40214300a3b29
                                                                                                            • Instruction Fuzzy Hash: 91910170A043149BDB26CF28C88175EBBBABF65308F0481E9E858AB355D7B5DE85CF41
                                                                                                            Function 02B78F51 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 179COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog_memmove
                                                                                                            • String ID: &'
                                                                                                            • API String ID: 3529519853-655172784
                                                                                                            • Opcode ID: bd0a0c1a5bced20e9f5092102a5aea641ef49d3db64e5e3e3e91ef0d7e491ef6
                                                                                                            • Instruction ID: dd52595994d5e1859b26e200bdfcc0c043875e8d92c4f3ffbefce56278964d1d
                                                                                                            • Opcode Fuzzy Hash: bd0a0c1a5bced20e9f5092102a5aea641ef49d3db64e5e3e3e91ef0d7e491ef6
                                                                                                            • Instruction Fuzzy Hash: 0D615D71D00609DFDF20EFA4C945AEDBBB6EF48710F1081AAD525BB190D7709A45CF61
                                                                                                            Function 60919123 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                              • Part of subcall function 60918408: sqlite3_value_text.SQLITE3 ref: 60918426
                                                                                                            • sqlite3_free.SQLITE3 ref: 609193A3
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_freesqlite3_value_text
                                                                                                            • String ID: (NULL)$NULL
                                                                                                            • API String ID: 2175239460-873412390
                                                                                                            • Opcode ID: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                                            • Instruction ID: 63658e955800b40111a930d2026d12727b3b294c4be858d68b3f7c51d7abf176
                                                                                                            • Opcode Fuzzy Hash: 2d639d8f8789be8f4f2115c7e339461789bfa1512606a4b94e85873a15b94a2d
                                                                                                            • Instruction Fuzzy Hash: E3514B31F0825A8EEB258A68C89479DBBB6BF66304F1441E9C4A9AB241D7309DC6CF01
                                                                                                            Function 60942334 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_log
                                                                                                            • String ID: string or blob too big$|
                                                                                                            • API String ID: 632333372-330586046
                                                                                                            • Opcode ID: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                                            • Instruction ID: 65a9847582dc10a4f4f17f1c4fc8d82f10366072c52f03016cacc5a11d353e3e
                                                                                                            • Opcode Fuzzy Hash: b6301cf988e6664baaa8b4960c9a349f418ad1f33ca54faa928bbeacb0d503e6
                                                                                                            • Instruction Fuzzy Hash: 4D51B9749083689BCB22CF28C985789BBF6BF59314F1086D9E49897351C775EE81CF41
                                                                                                            Function 609494A9 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 110COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_log
                                                                                                            • String ID: -- $d
                                                                                                            • API String ID: 632333372-777087308
                                                                                                            • Opcode ID: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                                                                            • Instruction ID: 827f605eab188c5b26b82399601ab0ab65c2dc521f736992582695f4996adf34
                                                                                                            • Opcode Fuzzy Hash: 04c39e600f9b005651fcb68da317ac4a80b79d2e803021aaf364a84fff9736a0
                                                                                                            • Instruction Fuzzy Hash: 5651F674A042689FDB26CF28C885789BBFABF55304F1081D9E99CAB341C7759E85CF41
                                                                                                            Function 609480BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_logsqlite3_value_text
                                                                                                            • String ID: string or blob too big
                                                                                                            • API String ID: 2320820228-2803948771
                                                                                                            • Opcode ID: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                                            • Instruction ID: 1f8da1134a73d261049fdcd83983d84c916c8a3f87851362e697cdb17b1d2bab
                                                                                                            • Opcode Fuzzy Hash: 4552165c49a92a3f1eebbde7746405f837ee0ef0562a3825501d2540ddfe4a5c
                                                                                                            • Instruction Fuzzy Hash: F631D9B0A083249BCB25DF28C881799B7FABF69304F0085DAE898A7301D775DE81CF45
                                                                                                            Function 02B78665 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02B773CE,?,?,00000000), ref: 02B786CC
                                                                                                            • getsockname.WS2_32(?,?,?), ref: 02B786E2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: ErrorLastgetsockname
                                                                                                            • String ID: &'
                                                                                                            • API String ID: 566540725-655172784
                                                                                                            • Opcode ID: f926f7e47ef232ff347668808b95a08e6e58a210eba95fe806a44a5082c2d699
                                                                                                            • Instruction ID: 90a57cacaf0b7c8e7a6de444fc63b75ea144d40ef910c0966c26f7f9aee12428
                                                                                                            • Opcode Fuzzy Hash: f926f7e47ef232ff347668808b95a08e6e58a210eba95fe806a44a5082c2d699
                                                                                                            • Instruction Fuzzy Hash: 6E216276A04208AFDB10DF68D854ADEB7F5FF48364F1185AAE928EB380D730E9458B54
                                                                                                            Function 02B7BCAB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B7BCB0
                                                                                                              • Part of subcall function 02B7C28C: std::exception::exception.LIBCMT ref: 02B7C2BB
                                                                                                              • Part of subcall function 02B7CA42: __EH_prolog.LIBCMT ref: 02B7CA47
                                                                                                              • Part of subcall function 02B827B5: _malloc.LIBCMT ref: 02B827CD
                                                                                                              • Part of subcall function 02B7C2EB: __EH_prolog.LIBCMT ref: 02B7C2F0
                                                                                                            Strings
                                                                                                            • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02B7BCED
                                                                                                            • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02B7BCE6
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog$_mallocstd::exception::exception
                                                                                                            • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
                                                                                                            • API String ID: 1953324306-1943798000
                                                                                                            • Opcode ID: c7ceed6ef1ef6ebe4d7ad06d7a19291170fca63c978621f659f358001baef965
                                                                                                            • Instruction ID: 30af4605d7948c6a7447daa7afeb882e49c8a3721c8ecd1292090674894e4a47
                                                                                                            • Opcode Fuzzy Hash: c7ceed6ef1ef6ebe4d7ad06d7a19291170fca63c978621f659f358001baef965
                                                                                                            • Instruction Fuzzy Hash: 8021AD72E013589ADF14EBE8E454AEEBBB5EF54704F0040DDE866BB291DB705A44CF50
                                                                                                            Function 02B7BDA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B7BDA5
                                                                                                              • Part of subcall function 02B7C363: std::exception::exception.LIBCMT ref: 02B7C390
                                                                                                              • Part of subcall function 02B7CB79: __EH_prolog.LIBCMT ref: 02B7CB7E
                                                                                                              • Part of subcall function 02B827B5: _malloc.LIBCMT ref: 02B827CD
                                                                                                              • Part of subcall function 02B7C3C0: __EH_prolog.LIBCMT ref: 02B7C3C5
                                                                                                            Strings
                                                                                                            • class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02B7BDDB
                                                                                                            • C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02B7BDE2
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog$_mallocstd::exception::exception
                                                                                                            • String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
                                                                                                            • API String ID: 1953324306-412195191
                                                                                                            • Opcode ID: 43087c31077e1592cb9c5ee016aea5330302be4acf13dc0f0accfb63e9c15046
                                                                                                            • Instruction ID: 6ffb5edc303c5ba3dc92f3b661c668b851ef3fc2cf8360ad53e3031c6aeb0511
                                                                                                            • Opcode Fuzzy Hash: 43087c31077e1592cb9c5ee016aea5330302be4acf13dc0f0accfb63e9c15046
                                                                                                            • Instruction Fuzzy Hash: 5E219C72E04258AADB18EBE4D854AAEBBB5EF54704F0045DEE856AB390CB705A44CF90
                                                                                                            Function 6091407D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_aggregate_context.SQLITE3 ref: 60914096
                                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 609140A2
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                                            • String ID:
                                                                                                            • API String ID: 3265351223-3916222277
                                                                                                            • Opcode ID: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                                            • Instruction ID: a3c0f903ff645dd1c5a8146eaa2078e963ad6c1b8d1bbf61d5d4caeb1888773d
                                                                                                            • Opcode Fuzzy Hash: 46809e466d9dc696839b8d734d1d71a7cd961db8d22299a3a9f395bc6b436a6c
                                                                                                            • Instruction Fuzzy Hash: 19119EB0A0C6589BDF059F69C4D539A7BF6AF39308F0044E8D8D08B205E771CD94CB81
                                                                                                            Function 60956040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_stricmp
                                                                                                            • String ID: log
                                                                                                            • API String ID: 912767213-2403297477
                                                                                                            • Opcode ID: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                                            • Instruction ID: cbf508da25866b0a35bc2ca480d64d7c482f0664b0359b741109bd545b4f9ff5
                                                                                                            • Opcode Fuzzy Hash: 32625358f7d37366d1c1d188942de81712d107425b8b720a67b4b84d1adec0cd
                                                                                                            • Instruction Fuzzy Hash: FD11DAB07087048BE725AF66C49535EBBB3ABA1708F10C42CE4854B784C7BAC986DB42
                                                                                                            Function 02B73965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B7396A
                                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02B739C1
                                                                                                              • Part of subcall function 02B71410: std::exception::exception.LIBCMT ref: 02B71428
                                                                                                              • Part of subcall function 02B7961A: __EH_prolog.LIBCMT ref: 02B7961F
                                                                                                              • Part of subcall function 02B7961A: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02B7962E
                                                                                                              • Part of subcall function 02B7961A: __CxxThrowException@8.LIBCMT ref: 02B7964D
                                                                                                            Strings
                                                                                                            • Day of month is not valid for year, xrefs: 02B739AC
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                            • String ID: Day of month is not valid for year
                                                                                                            • API String ID: 1404951899-1521898139
                                                                                                            • Opcode ID: ad4fb49cddbbe3ae47d062d213b79942bf6ec50665a90b313f502ffe94826bd5
                                                                                                            • Instruction ID: 67c58d0276bd248e9bd4939ee71e65f915ccd4f24424a16e204cf93e3175a0b4
                                                                                                            • Opcode Fuzzy Hash: ad4fb49cddbbe3ae47d062d213b79942bf6ec50665a90b313f502ffe94826bd5
                                                                                                            • Instruction Fuzzy Hash: 3A01D436C20249AADF04EFA4D841AEEB7B9FF15710F1044AAFD2493200EB708B51DBA5
                                                                                                            Function 60902148 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_strnicmp
                                                                                                            • String ID: SQLITE_
                                                                                                            • API String ID: 1961171630-787686576
                                                                                                            • Opcode ID: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                                            • Instruction ID: 6d5ef3c0fd507030b5e8170497320435726bf3f0db30f2d6f2734bcd7f756fb3
                                                                                                            • Opcode Fuzzy Hash: 6b56a851e7df47422a7a29131339b4dfcb3302745a705f9abe90012807219487
                                                                                                            • Instruction Fuzzy Hash: 2501D6B190C3505FD7419F29CC8075BBFFAEBA5258F10486DE89687212D374DC81D781
                                                                                                            Function 6091A1B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 6091A1DB
                                                                                                            • sqlite3_value_blob.SQLITE3 ref: 6091A1FA
                                                                                                            Strings
                                                                                                            • Invalid argument to rtreedepth(), xrefs: 6091A1E3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_value_blobsqlite3_value_bytes
                                                                                                            • String ID: Invalid argument to rtreedepth()
                                                                                                            • API String ID: 1063208240-2843521569
                                                                                                            • Opcode ID: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                                            • Instruction ID: c9489564a96cd83e586e3a08c251b8a8c74d553169181c25a19da25ffef599d7
                                                                                                            • Opcode Fuzzy Hash: 11a8b631faa983fdd1b04a57150add771201859657fb9a8a7ca9793758d49f10
                                                                                                            • Instruction Fuzzy Hash: 0FF0A4B2A0C2589BDB00AF2CC88255577A6FF24258F1045D9E9858F306EB34DDD5C7D1
                                                                                                            Function 609561A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561D7
                                                                                                              • Part of subcall function 6092A43E: sqlite3_initialize.SQLITE3 ref: 6092A450
                                                                                                              • Part of subcall function 6092A43E: sqlite3_mutex_enter.SQLITE3 ref: 6092A466
                                                                                                              • Part of subcall function 6092A43E: sqlite3_mutex_leave.SQLITE3 ref: 6092A47F
                                                                                                              • Part of subcall function 6092A43E: sqlite3_memory_used.SQLITE3 ref: 6092A4BA
                                                                                                            • sqlite3_soft_heap_limit64.SQLITE3 ref: 609561EB
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_soft_heap_limit64$sqlite3_initializesqlite3_memory_usedsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                            • String ID: soft_heap_limit
                                                                                                            • API String ID: 1251656441-405162809
                                                                                                            • Opcode ID: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                                            • Instruction ID: 8891d4bbc0f5aef5547f00e3070395c34840fc2012d087b050684f6162b0ba7d
                                                                                                            • Opcode Fuzzy Hash: 0a3178e3d5348c0d1dba646aca47308acc52713326f376e4eba91e5107f5ba07
                                                                                                            • Instruction Fuzzy Hash: C2014B71A083188BC710EF98D8417ADB7F2BFA5318F508629E8A49B394D730DC42CF41
                                                                                                            Function 02B7A0FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • std::exception::exception.LIBCMT ref: 02B7EB16
                                                                                                            • __CxxThrowException@8.LIBCMT ref: 02B7EB2B
                                                                                                              • Part of subcall function 02B827B5: _malloc.LIBCMT ref: 02B827CD
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: Exception@8Throw_mallocstd::exception::exception
                                                                                                            • String ID: bad allocation
                                                                                                            • API String ID: 4063778783-2104205924
                                                                                                            • Opcode ID: eda74fc189ca0d14804be064efc9fb913cd8e0adf39c3aa578bd061a5f7a477d
                                                                                                            • Instruction ID: 15722e247eb4d55698091f7b7e40935a59f649dfd5b0466d97611b5dc18fb426
                                                                                                            • Opcode Fuzzy Hash: eda74fc189ca0d14804be064efc9fb913cd8e0adf39c3aa578bd061a5f7a477d
                                                                                                            • Instruction Fuzzy Hash: 65F0827160020A67AF04BAA889959AF77EDDB04614F5005FAE925D2680EF70EA44C591
                                                                                                            Function 02B73C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B73C1B
                                                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 02B73C30
                                                                                                              • Part of subcall function 02B814B7: std::exception::exception.LIBCMT ref: 02B814C1
                                                                                                              • Part of subcall function 02B79653: __EH_prolog.LIBCMT ref: 02B79658
                                                                                                              • Part of subcall function 02B79653: __CxxThrowException@8.LIBCMT ref: 02B79681
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                            • String ID: bad cast
                                                                                                            • API String ID: 1300498068-3145022300
                                                                                                            • Opcode ID: 24c89d81179acaa6a194bdf9e65b91274304d4ce792b15c22c7f0d817f1a98fe
                                                                                                            • Instruction ID: 7745348e7090a7ada8c3149148ec18d0ef1638e93f6dd19b2ec9dbd9c060f642
                                                                                                            • Opcode Fuzzy Hash: 24c89d81179acaa6a194bdf9e65b91274304d4ce792b15c22c7f0d817f1a98fe
                                                                                                            • Instruction Fuzzy Hash: 9AF0A032900544DBCB09EF58D840AEEF7B5EF52711F1041EEED1A9B250CB729A46CAD1
                                                                                                            Function 60925208 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 6092522A
                                                                                                            • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6094A57F), ref: 60925263
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: sqlite3_log
                                                                                                            • String ID: NULL
                                                                                                            • API String ID: 632333372-324932091
                                                                                                            • Opcode ID: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                                            • Instruction ID: 5a36de60e8574ea04015b231464f09686a41744340efbe7a8a869d8181b3dc96
                                                                                                            • Opcode Fuzzy Hash: f56f6a0e8a895df1b0101c46b9851dc3af9ce5b0d95800d46be4b721d61d1ab1
                                                                                                            • Instruction Fuzzy Hash: BAF0A070238301DBD7102FA6E44230E7AEBABB0798F48C43C95A84F289D7B5C844CB63
                                                                                                            Function 02B73881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B73886
                                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02B738A5
                                                                                                              • Part of subcall function 02B71410: std::exception::exception.LIBCMT ref: 02B71428
                                                                                                              • Part of subcall function 02B77987: _memmove.LIBCMT ref: 02B779A7
                                                                                                            Strings
                                                                                                            • Day of month value is out of range 1..31, xrefs: 02B73894
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                            • String ID: Day of month value is out of range 1..31
                                                                                                            • API String ID: 3258419250-1361117730
                                                                                                            • Opcode ID: a56db168cab08f308ef17b2ca2750440441f932e51a5b37a59fe56988a745953
                                                                                                            • Instruction ID: e933dfa944b78177d68479b6f8ef9136affe5c91e7c17245597bed69fa3c4d0b
                                                                                                            • Opcode Fuzzy Hash: a56db168cab08f308ef17b2ca2750440441f932e51a5b37a59fe56988a745953
                                                                                                            • Instruction Fuzzy Hash: 15E0D873E5015467EF18AB98C811BDDB7B9DB09710F0404EAE91277680DAB11944CFD0
                                                                                                            Function 02B738CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B738D2
                                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02B738F1
                                                                                                              • Part of subcall function 02B71410: std::exception::exception.LIBCMT ref: 02B71428
                                                                                                              • Part of subcall function 02B77987: _memmove.LIBCMT ref: 02B779A7
                                                                                                            Strings
                                                                                                            • Year is out of valid range: 1400..10000, xrefs: 02B738E0
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                            • String ID: Year is out of valid range: 1400..10000
                                                                                                            • API String ID: 3258419250-2344417016
                                                                                                            • Opcode ID: f9cd72ba4220b2cd39c0fe8989dd834012dec026a7dfd34dab3b1d78b2234503
                                                                                                            • Instruction ID: 0c04d67edb7b568688a7302a002c61ccd68e159414ed5da0762d574d4c4c8c22
                                                                                                            • Opcode Fuzzy Hash: f9cd72ba4220b2cd39c0fe8989dd834012dec026a7dfd34dab3b1d78b2234503
                                                                                                            • Instruction Fuzzy Hash: D0E0D873E501546BEF18EB948811BEDB7B9DF09710F0400EEE92667680DAB11944CF94
                                                                                                            Function 02B73919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B7391E
                                                                                                            • std::runtime_error::runtime_error.LIBCPMT ref: 02B7393D
                                                                                                              • Part of subcall function 02B71410: std::exception::exception.LIBCMT ref: 02B71428
                                                                                                              • Part of subcall function 02B77987: _memmove.LIBCMT ref: 02B779A7
                                                                                                            Strings
                                                                                                            • Month number is out of range 1..12, xrefs: 02B7392C
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog_memmovestd::exception::exceptionstd::runtime_error::runtime_error
                                                                                                            • String ID: Month number is out of range 1..12
                                                                                                            • API String ID: 3258419250-4198407886
                                                                                                            • Opcode ID: 6d76d14580f587dd145597a6832414c34ee3ec156f5acf909a530f4aaf498ac0
                                                                                                            • Instruction ID: 88926a0cab90b125865f9ef8f3c470c200f87771ab8e04e610165713ab219d01
                                                                                                            • Opcode Fuzzy Hash: 6d76d14580f587dd145597a6832414c34ee3ec156f5acf909a530f4aaf498ac0
                                                                                                            • Instruction Fuzzy Hash: D6E0D873E50114A7EF28EBA48811BEDB7B9DB09710F0400EAE92267680DEB11944CFD0
                                                                                                            Function 02B719C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • TlsAlloc.KERNEL32 ref: 02B719CC
                                                                                                            • GetLastError.KERNEL32 ref: 02B719D9
                                                                                                              • Part of subcall function 02B71712: __EH_prolog.LIBCMT ref: 02B71717
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: AllocErrorH_prologLast
                                                                                                            • String ID: tss
                                                                                                            • API String ID: 249634027-1638339373
                                                                                                            • Opcode ID: 8aa9637f33e2d415b65bd3cb168f78606f09f6dc5ab5cf03c6bff53ff3bc6dc7
                                                                                                            • Instruction ID: fc9109dc96909e9f817eb07492ac94afab9ab9ace50f83863ed63061f6de8643
                                                                                                            • Opcode Fuzzy Hash: 8aa9637f33e2d415b65bd3cb168f78606f09f6dc5ab5cf03c6bff53ff3bc6dc7
                                                                                                            • Instruction Fuzzy Hash: F4E08672D542105B86107B78A80929EBB959B412B1F108BAAEDB9C32D0EA3049518BD6
                                                                                                            Function 02B73BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 02B73BD8
                                                                                                            • std::bad_exception::bad_exception.LIBCMT ref: 02B73BED
                                                                                                              • Part of subcall function 02B814B7: std::exception::exception.LIBCMT ref: 02B814C1
                                                                                                              • Part of subcall function 02B79653: __EH_prolog.LIBCMT ref: 02B79658
                                                                                                              • Part of subcall function 02B79653: __CxxThrowException@8.LIBCMT ref: 02B79681
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2922458226.0000000002B71000.00000040.00001000.00020000.00000000.sdmp, Offset: 02B71000, based on PE: false
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_2b71000_classichomecinema.jbxd
                                                                                                            Yara matches
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                            • String ID: bad cast
                                                                                                            • API String ID: 1300498068-3145022300
                                                                                                            • Opcode ID: ac9dffe0394c542dc34e806ba1c9da3cec7e7a7224a096d0d8a5495c4b4148ce
                                                                                                            • Instruction ID: 7adb42e84557aaf8327800bf1e641f6af74cacec85663e10457fbd49f2b02c4b
                                                                                                            • Opcode Fuzzy Hash: ac9dffe0394c542dc34e806ba1c9da3cec7e7a7224a096d0d8a5495c4b4148ce
                                                                                                            • Instruction Fuzzy Hash: 9AE0DF31900148DBCB08EF94D441BBCB7B1EF12300F0081ECEC2A43390CB314905CE81
                                                                                                            Function 6096D4C0 Relevance: 5.0, APIs: 4, Instructions: 44COMMON
                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4DF
                                                                                                            • TlsGetValue.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4F5
                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D4FD
                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,6096D655,?,?,?,?,?,6096CF88), ref: 6096D520
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000002.00000002.2923216022.0000000060901000.00000020.00000001.01000000.0000000A.sdmp, Offset: 60900000, based on PE: true
                                                                                                            • Associated: 00000002.00000002.2923201447.0000000060900000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923317569.000000006096E000.00000008.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923332893.000000006096F000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923355639.000000006097B000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923371920.000000006097D000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            • Associated: 00000002.00000002.2923387964.0000000060980000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                            Joe Sandbox IDA Plugin
                                                                                                            • Snapshot File: hcaresult_2_2_60900000_classichomecinema.jbxd
                                                                                                            Similarity
                                                                                                            • API ID: CriticalSection$EnterErrorLastLeaveValue
                                                                                                            • String ID:
                                                                                                            • API String ID: 682475483-0
                                                                                                            • Opcode ID: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                                            • Instruction ID: 6dd43474153c21470d2d90641e64b96ed0da30414b2d41baa8b5e8831fa3fcb2
                                                                                                            • Opcode Fuzzy Hash: 79e4c3a08b5363d98cc33068bb7bbdcd271105d9d9d9c252471cf05fac27a945
                                                                                                            • Instruction Fuzzy Hash: 9AF0F972A163104BEB10AF659CC1A5A7BFDEFB1218F100048FC6197354E770DC40D6A2