Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DouWan-Video-Setup-En-4.3.0.3-x64.exe

Overview

General Information

Sample name:DouWan-Video-Setup-En-4.3.0.3-x64.exe
Analysis ID:1467120
MD5:54f1dfbda1d18a3cdb6055546d45dc84
SHA1:3ff5de326326a96db424dd27df20d1d855a61570
SHA256:d6916e1f1e375b82dcdde615a6fdadeadda98788ce084812ccd6ba133b8a447c
Infos:

Detection

Score:26
Range:0 - 100
Whitelisted:false
Confidence:20%

Compliance

Score:36
Range:0 - 100

Signatures

Modifies the windows firewall
Query firmware table information (likely to detect VMs)
Uses netsh to modify the Windows network and firewall settings
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected potential crypto function
Drops PE files
EXE planting / hijacking vulnerabilities found
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Classes Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • DouWan-Video-Setup-En-4.3.0.3-x64.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe" MD5: 54F1DFBDA1D18A3CDB6055546D45DC84)
    • netsh.exe (PID: 3848 cmdline: netsh advfirewall firewall add rule name="DouWan" dir=in action=allow program="C:\Program Files\douwan\DouWan.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 5820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WerFault.exe (PID: 3740 cmdline: C:\Windows\system32\WerFault.exe -pss -s 488 -p 6016 -ip 6016 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • regsvr32.exe (PID: 3468 cmdline: "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam32.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
    • regsvr32.exe (PID: 5260 cmdline: "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud32.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
    • regsvr32.exe (PID: 5652 cmdline: "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam64.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • regsvr32.exe (PID: 5264 cmdline: /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam64.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • regsvr32.exe (PID: 1740 cmdline: "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud64.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • regsvr32.exe (PID: 1832 cmdline: /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud64.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
    • DouWan.exe (PID: 6016 cmdline: "C:\Program Files\douwan\DouWan.exe" MD5: E9A3B9746938F5A64159092AB84A9A9E)
      • WMIC.exe (PID: 3396 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
        • conhost.exe (PID: 4520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WerFault.exe (PID: 3272 cmdline: C:\Windows\system32\WerFault.exe -u -p 6016 -s 3156 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: DouWan-Video-Setup-En-4.3.0.3-x64.exe PID: 6552JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Sigma Signatures

    Sigma detected: Classes Autorun Keys Modification
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 02 00 00 00 00 00 20 00 01 00 00 00 00 00 00 00 30 70 69 33 08 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 30 74 79 33 00 00 00 00 38 00 00 00 48 00 00 00 76 69 64 73 00 00 10 00 80 00 00 AA 00 38 9B 71 4E 56 31 32 00 00 10 00 80 00 00 AA 00 38 9B 71 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\regsvr32.exe, ProcessId: 3468, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0EE-3493-419F-988A-ABA0230EC203}\FilterData

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_c6108e29-5
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeEXE: netsh.exeJump to behavior

    Compliance

    barindex
    EXE planting / hijacking vulnerabilities found
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeEXE: netsh.exeJump to behavior
    Uses 32bit PE files
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Found installer window with terms and condition text
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeWindow detected: < &Back&Next >CancelNullsoft Install System v3.06.1 Nullsoft Install System v3.06.1License AgreementPlease review the license terms before installing DouWan 4.3.0.3.Press Page Down to see the rest of the agreement.END-USER LICENSE AGREEMENTIMPORTANT: PLEASE READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE CONTINUING WITH THIS PROGRAM INSTALL:This End-User License Agreement ("EULA") is a binding legal agreement between You the "User" (an individual or single entity) and XinDawn(the "Company") concerning its Software Products such as DouWan for Mac OS DouWan Universal for Windows or DouWan for Linux including associated software components media printed and electronic documentation. By installing copying or otherwise using the Company's Software Products you agree to be bound by the terms and conditions of this EULA. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA DO NOT INSTALL OR USE ANY OF THE COMPANY'S SOFTWARE PRODUCTS.Date of EULA - June 8 20201. LICENSE GRANT. A. The Software Products are licensed not sold.B.Subject to the terms of this EULA You are granted a limited personal revocable worldwide non-assignable non-sublicenseable non-transferable and non-exclusive license to install and use the Software Products. C.You may install and use 1 copy of a Software Product on 1 computer that belongs to You and you may make 1 copy of a Software Product for backup and archival purposes. You are not permitted any other rights concerning distribution of a Software Product.D. You agree not to translate modify sell lease rent loan redistribute sub-lease sub-license make copies of (unless expressly permitted under this License) or create derivative works from a Software Product or any part of a Software Product. Any such unauthorized works developed by You and any Intellectual Property Rights embodied therein shall be the sole and exclusive property of the Company; and End User hereby assigns all rights in them (including moral rights) the Company. To the extent Intellectual Property Rights embodied therein are not eligible to be transferred by operation of the law the Company shall be granted exclusive rights to use to the widest extent lawfully possible.E. You agree not to alter merge modify adapt or translate a Software Product or decompile reverse engineer disassemble or otherwise reduce a Software Product to a human-perceivable form. F. This license does NOT guarantee you the right to future upgrades or updates of a Software Product and the Company reserves the right to charge for future upgrades or updates of a Software Product.2. TYPES OF LICENSESThe Company sells and distributes each Software Product under different types of licenses (e.g. education consumer business enterprise etc.) and each type of license contains additional use restrictions. When You purchase a license You agree that at the time of purchase You qualify for that version of the license. If Your representation is inaccurate or false the Compan
    Creates a directory in C:\Program Files
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwanJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\AdbWinApi.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\AdbWinUsbApi.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\AirPlayInput.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\DouWan.exeJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\EndUserLicenseAgreement.rtfJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\Qt5Core.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\Qt5Gui.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\Qt5Network.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\Qt5Svg.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\Qt5Widgets.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\SDL2.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\SoftwareLicence.txtJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\adb.exeJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-console-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-debug-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-file-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-file-l1-2-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-file-l2-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-handle-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-heap-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-localization-l1-2-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-memory-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-profile-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-string-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-synch-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-synch-l1-2-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-util-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-math-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-private-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-process-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-string-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-time-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\avcodec-58.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\avformat-58.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\avutil-56.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\concrt140.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\d3dcompiler_47.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\d3dx9_43.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\douwan.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\douwanaudio.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libEGL.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libGLESv2.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libairplay.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libcrypto-1_1-x64.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libssl-1_1-x64.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libyuv.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\mDNSResponder.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp120.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp140.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp140_1.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp140_2.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp140_atomic_wait.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp140_codecvt_ids.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcr120.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcrt.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\opengl32sw.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\swresample-3.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\swscale-5.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\ucrtbase.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\updater.exeJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\vcam.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\vccorlib140.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\vcruntime140.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\vcruntime140_1.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\w32-pthreads.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\zlib.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCamJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\default.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\default_p.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\douwan-virtualaud32.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\douwan-virtualaud64.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\douwan-virtualcam32.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\douwan-virtualcam64.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\bearerJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\bearer\qgenericbearer.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboardJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\dashboard.cssJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\dashboard.htmlJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\iconJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\icon\details.svgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\icon\edit.svgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\icon\group.svgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\DlgDeviceGroupEditor.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\DlgDevicePreview.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\DlgGroupEditor.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\api.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\app.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\deviceGrid.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\deviceGridItem.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\deviceGroupServ.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\deviceServ.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\ws.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendorsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTreeJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\CORSJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\eleTree.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\cssJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\css\icon.cssJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\fontsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.eotJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.svgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.ttfJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.woffJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\imagesJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\checkFull.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\checkHalf.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\checkNone.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\dropdownOff.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\dropdownOn.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\fold.jpgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\fold.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\leaf.jpgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\leaf.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\radioCheck.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\radioCheckNone.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\iconenginesJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\iconengines\qsvgicon.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformatsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qgif.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qicns.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qico.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qjpeg.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qpdf.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qsvg.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qtga.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qtiff.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qwbmp.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qwebp.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\platformsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\platforms\qwindows.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\pluginsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\plugins\64bitJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\plugins\64bit\win-wasapi.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\plugins\64bit\xindawn-audio.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\plugins\64bit\xindawn-output.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\restfulJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\restful\api.htmlJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\restful\api.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\restful\help.htmlJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\stylesJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\styles\qwindowsvistastyle.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translationsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_ar.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_bg.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_ca.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_cs.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_da.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_de.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_en.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_es.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_fi.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_fr.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_gd.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_he.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_hu.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_it.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_ja.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_ko.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_lv.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_pl.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_ru.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_sk.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_tr.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_uk.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_zh_TW.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\uninst.exeJump to behavior
    Creates license or readme file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\EndUserLicenseAgreement.rtfJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\EndUserLicenseAgreement.rtfJump to behavior
    PE / OLE file has a valid certificate
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exeStatic PE information: certificate valid
    Uses secure TLS version for HTTPS connections
    Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49732 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49739 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49755 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.4:49756 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49757 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49758 version: TLS 1.2
    Contains modern PE file flags such as dynamic base (ASLR) or NX
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Binary contains paths to debug symbols
    Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1973926819.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3dx9_43.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1987242741.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2026176484.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1954389433.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1952159816.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\qtscrcpy\win_updater\bin\x64\Release\Updater.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2009613605.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1966796857.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\install-filter.pdbH source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1969876451.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2005869200.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\svnmain\googlecode\usb-travis\trunk\libusbk\bin\sys\amd64\libusbK.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\bearer\qgenericbearer.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Android\libairplay\iRecorder\src\main\cpp\build-64\LibAirPlay\Release\libairplay.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\install-filter.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1956289930.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1969291087.0000000002766000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\work\mesa\git\mesa\build\windows-x86_64\gallium\targets\libgl-gdi\opengl32.pdbu source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwebp.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\concrt140.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1981616576.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1960125828.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1950528544.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_atomic_wait.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2007148156.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1972586201.0000000002762000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcr120.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2008620374.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\svnmain\googlecode\usb-travis\trunk\libusbk\bin\dll\amd64\libusbK.pdbH source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2006507143.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1961200502.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1975555251.0000000002764000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbBB source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\svnmain\googlecode\usb-travis\trunk\libusbk\bin\dll\amd64\libusbK.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1955770091.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sfxcab.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1959537310.0000000002766000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: F:\Temp\openssl-1.1.1g\libcrypto-1_1-x64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1958028208.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1960704021.0000000002764000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1971962294.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\qtscrcpy-new-new\output\win\x64\release\DouWan.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1961731915.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Android\libairplay\iRecorder\src\main\cpp\build-64\LibAirPlay\Release\libairplay.pdb} source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1973073432.000000000276A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libswscale\swscale-5.pdb''' source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\work\mesa\git\mesa\build\windows-x86_64\gallium\targets\libgl-gdi\opengl32.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Z:\airparrot-windows\dependencies\mdnsresponder\mDNSResponder\mDNSWindows\SystemService\x64\Release\mDNSResponder.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2029501912.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\libEGL.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1970380215.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1975064291.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1970961082.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\install-filter.pdbp source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdbH source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: F:\Temp\openssl-1.1.1g\libssl-1_1-x64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2005336941.0000000002766000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: `OTHER`TEMP`PACKED<%s return value>internal error: failed to write debug data to pdb streaminternal error: failed to add section contributioninternal warning: PDB Error string is "%S"internal error: failed to close debug infointernal error: failed to close PDBinternal error: failed to open PDB for writing in streaminternal error: failed to create debug info in PDBinternal error: failed to add code section to debug infointernal error: failed to add module to debug infointernal error: failed to create type info in PDBinternal error: failed to create inline type info in PDBinternal error: failed to create source file store in PDBinternal error: failed to close source file store in PDBinternal error: failed to close module in debug infointernal error: failed to commit type info in PDBinternal error: failed to commit inline type info in PDBinternal error: failed to add section header to debug infointernal error: failed to append section header to pdbinternal error: failed to close section header in debug infointernal error: failed to close debug info in PDBinternal error: failed to commit PDBinternal error: PDB data too largeinternal error: PDB stream truncatedinternal error: failed to close source file storeinternal error: failed to close type infointernal error: pdb append failedfxl_4_0too many arguments to target TXtoo many outputs to target TXclip not supported in texture shadersinvalid reference to input semantic '%s%d'invalid reference to output semantic '%s%d'0123456789abcdef.pdbVPosSV_ViewportArrayIndexColorFailed to log error, redirecting to debug output: source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1985016363.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1958336058.0000000002760000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1974462657.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2028977593.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libswscale\swscale-5.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1967927887.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp120.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2004495885.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1963965499.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libavutil\avutil-56.pdbggg source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1952925751.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1953634392.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\bearer\qgenericbearer.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbT source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D3DCompiler_47.pdbGCTL source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1985016363.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1968718763.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qjpeg.pdbRR source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdbUGP source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2026176484.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\libGLESv2.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\svnmain\googlecode\usb-travis\trunk\libusbk\bin\dll\i386\libusbK.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3dx9_43.pdbH source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1987242741.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libavformat\avformat-58.pdb{{{ source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980040599.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1951145726.0000000002764000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1968211264.0000000002760000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1971477190.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: F:\Temp\openssl-1.1.1g\libcrypto-1_1-x64.pdbj source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\install-filter.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\libGLESv2.pdb2 source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1975833286.0000000002760000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D3DCompiler_47.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1985016363.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libavutil\avutil-56.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1967370015.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1962649521.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1954930161.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\hudun\AirPlayInput\x64\Release\AirPlayInput.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1957395280.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\SDK\Qt\5.15.2\Src\qtwebengine\build_x64\plugins\imageformats\qpdf.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2061092199.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1g 21 Apr 2020built on: Tue Apr 21 14:24:00 2020 UTCplatform: VC-WIN64A-rttOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libavformat\avformat-58.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980040599.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdbP source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qjpeg.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2007460777.0000000002760000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_00406739 FindFirstFileW,FindClose,0_2_00406739
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405AED
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
    Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
    Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
    Source: global trafficHTTP traffic detected: POST /v1/app/checkVersion?uuid=w61f0b7401cce31b61af8ef16887023fb&softversion=4.3.0.3&limituse=1&language=en-us&lang=en HTTP/1.1Host: api.douwan.videoContent-Type: application/x-www-form-urlencodedContent-Length: 92Connection: Keep-AliveAccept-Encoding: gzip, deflateAccept-Language: en-CH,*User-Agent: Mozilla/5.0
    Source: global trafficHTTP traffic detected: POST /v1/app/getMessage?uuid=w61f0b7401cce31b61af8ef16887023fb&softversion=4.3.0.3&limituse=1&language=en-us&lang=en HTTP/1.1Host: api.douwan.videoContent-Type: application/x-www-form-urlencodedCookie: airServer=995da025b8a84f29c1aa3ab92d8dcd3fContent-Length: 92Connection: Keep-AliveAccept-Encoding: gzip, deflateAccept-Language: en-CH,*User-Agent: Mozilla/5.0
    Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
    Source: global trafficHTTP traffic detected: POST /ppsecure/deviceaddcredential.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 7642Host: login.live.com
    Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
    Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
    Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
    Source: global trafficHTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 4775Host: login.live.com
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
    Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 151.101.66.133
    Source: unknownTCP traffic detected without corresponding DNS query: 151.101.130.133
    Source: unknownTCP traffic detected without corresponding DNS query: 151.101.66.133
    Source: unknownTCP traffic detected without corresponding DNS query: 151.101.130.133
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.32
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.31.73
    Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2PgZmmtPrgnHHEs&MD=vwNG4BCV HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
    Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
    Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2PgZmmtPrgnHHEs&MD=vwNG4BCV HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1email.google.comf5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06www.google.comd7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3login.yahoo.com39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:293e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47login.skype.com92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43addons.mozilla.orgb0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0login.live.comd8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0global trustee05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56*.google.com0c:76:da:9c:91:0c:4e:2c:9e:fe:15:d0:58:93:3c:4cDigiNotar Root CAf1:4a:13:f4:87:2b:56:dc:39:df:84:ca:7a:a1:06:49DigiNotar Services CA36:16:71:55:43:42:1b:9d:e6:cb:a3:64:41:df:24:38DigiNotar Services 1024 CA0a:82:bd:1e:14:4e:88:14:d7:5b:1a:55:27:be:bf:3eDigiNotar Root CA G2a4:b6:ce:e3:2e:d3:35:46:26:3c:b3:55:3a:a8:92:21CertiID Enterprise Certificate Authority5b:d5:60:9c:64:17:68:cf:21:0e:35:fd:fb:05:ad:41DigiNotar Qualified CA46:9c:2c:b007:27:10:0dDigiNotar Cyber CA07:27:0f:f907:27:10:0301:31:69:b0DigiNotar PKIoverheid CA Overheid en Bedrijven01:31:34:bfDigiNotar PKIoverheid CA Organisatie - G2d6:d0:29:77:f1:49:fd:1a:83:f2:b9:ea:94:8c:5c:b4DigiNotar Extended Validation CA1e:7d:7a:53:3d:45:30:41:96:40:0f:71:48:1f:45:04DigiNotar Public CA 202546:9c:2c:af46:9c:3c:c907:27:14:a9Digisign Server ID (Enrich)4c:0e:63:6aDigisign Server ID - (Enrich)72:03:21:05:c5:0c:08:57:3d:8e:a5:30:4e:fe:e8:b0UTN-USERFirst-Hardware41MD5 Collisions Inc. (http://www.phreedom.org/md5)08:27*.EGO.GOV.TR08:64e-islem.kktcmerkezbankasi.org03:1d:a7AC DG Tr equals www.yahoo.com (Yahoo)
    Source: global trafficDNS traffic detected: DNS query: api.douwan.video
    Source: global trafficDNS traffic detected: DNS query: usbserver.douwan.video
    Source: unknownHTTP traffic detected: POST /v1/app/checkVersion?uuid=w61f0b7401cce31b61af8ef16887023fb&softversion=4.3.0.3&limituse=1&language=en-us&lang=en HTTP/1.1Host: api.douwan.videoContent-Type: application/x-www-form-urlencodedContent-Length: 92Connection: Keep-AliveAccept-Encoding: gzip, deflateAccept-Language: en-CH,*User-Agent: Mozilla/5.0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugreports.qt.io/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Root.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/primobject.crl0N
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0B
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cscasha2.ocsp-certum.com04
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1949855131.000000000276E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://developer.android.com/tools/device.html
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1949855131.000000000276E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://developer.android.com/tools/device.htmlinsufficient
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fsf.org/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://libusb-win32.sourceforge.net
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://libusb-win32.sourceforge.netN
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://libusb-win32.sourceforge.netb
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://libusb-win32.sourceforge.netd
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1949855131.000000000276E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://libusb.info
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://libwdi-cps.akeo.ie
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://libwdi.akeo.ie1.3.6.1.5.5.7.2.1http://libwdi-cps.akeo.ieCryptEncodeObjectCreateSelfSignedCert
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://llvm.org/):
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2099682729.0000000003551000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000000.1749727484.000000000040A000.00000008.00000001.01000000.00000003.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0P
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr30;
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr606
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2089440667.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://qt-project.org/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2089440667.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://qt.io/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2089440667.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://qt.io/licensing/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/cscasha2.cer0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/encodingStyle(res
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/(res
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sensics.com/osvr
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certum.pl/CPS0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.color.org)
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dns-sd.org/ServiceTypes.html
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globalsign.net/repository/0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globalsign.net/repository/03
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globalsign.net/repository09
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gnu.org/licenses/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gnu.org/philosophy/why-not-lgpl.html
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phreedom.org/md5)08:27
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.plutinosoft.com
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.plutinosoft.com/blog/projects/platinum
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.plutinosoft.com/blog/projects/platinumDMR-1.50urn:schemas-upnp-org:metadata-1-0/AVT/urn:u
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.plutinosoft.comDevice
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zlib.net/D
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugs.freedesktop.org/enter_bug.cgi?product=Mesa
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2039883635.0000000002769000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.staticfile.org/axios/1.4.0/axios.min.js
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2039883635.0000000002769000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.staticfile.org/layui/2.8.11/css/layui.min.css
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2039883635.0000000002769000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.staticfile.org/layui/2.8.11/layui.js
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2072473118.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.staticfile.org/layui/2.8.3/css/layui.min.css
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2072473118.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.staticfile.org/layui/2.8.3/layui.js
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.freescale.com/message/493287#493287
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000002.2149947105.0000000000591000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1752250340.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1925391754.000000000276E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://douwan.video/compatibility
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1960046524.00000000005CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://douwan.video/compatibility.html
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000002.2149947105.0000000000591000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1752250340.0000000002767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://douwan.videoPublisher
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2047407200.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/hsiangleev/eleTree.git
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://streams.videolan.org/upload/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.certum.pl/CPS0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.douwan.video
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.douwan.video/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.douwan.video/https://www.douwan.video
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991137382.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1990132241.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2069552452.0000000002765000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027698850.0000000002764000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070158162.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030065014.000000000276D000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2070785688.000000000276C000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2002612781.0000000002768000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/H
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/docs/faq.html
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xindawn.douwan.video/
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xindawn.douwan.video/0000000012345678TEST
    Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
    Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
    Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
    Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
    Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
    Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49732 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49739 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49755 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 40.126.31.73:443 -> 192.168.2.4:49756 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.4:49757 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49758 version: TLS 1.2
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_00405582 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405582
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_393c1d4b-b
    Source: Yara matchFile source: Process Memory Space: DouWan-Video-Setup-En-4.3.0.3-x64.exe PID: 6552, type: MEMORYSTR
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040348F
    Source: C:\Program Files\douwan\DouWan.exeFile created: C:\Users\user\AppData\Local\Temp\libusb0.sysJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_00406AFA0_2_00406AFA
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_665A96B013_2_665A96B0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_6AD0228513_2_6AD02285
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_6AD03B2213_2_6AD03B22
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_6AD0BC8D13_2_6AD0BC8D
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_6AD01CA213_2_6AD01CA2
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83380A013_2_00007FFDF83380A0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83130C013_2_00007FFDF83130C0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF832B8D013_2_00007FFDF832B8D0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF833F06013_2_00007FFDF833F060
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF832D89013_2_00007FFDF832D890
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF82FA0A013_2_00007FFDF82FA0A0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF831613013_2_00007FFDF8316130
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF830D14013_2_00007FFDF830D140
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF832395013_2_00007FFDF8323950
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF834E0F013_2_00007FFDF834E0F0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF833E11013_2_00007FFDF833E110
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF834F9A013_2_00007FFDF834F9A0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83521B013_2_00007FFDF83521B0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83399D013_2_00007FFDF83399D0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF834A1D013_2_00007FFDF834A1D0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF82F296013_2_00007FFDF82F2960
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF834998013_2_00007FFDF8349980
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF831319013_2_00007FFDF8313190
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8309A2013_2_00007FFDF8309A20
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF830A22013_2_00007FFDF830A220
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF82F7A1013_2_00007FFDF82F7A10
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF834123013_2_00007FFDF8341230
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8334A5013_2_00007FFDF8334A50
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83389E013_2_00007FFDF83389E0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83449E013_2_00007FFDF83449E0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF82F6A5013_2_00007FFDF82F6A50
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83439F013_2_00007FFDF83439F0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF830920013_2_00007FFDF8309200
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83432A013_2_00007FFDF83432A0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83482A013_2_00007FFDF83482A0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8348AB013_2_00007FFDF8348AB0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83072C013_2_00007FFDF83072C0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF832FA9013_2_00007FFDF832FA90
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8320A9013_2_00007FFDF8320A90
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF832429013_2_00007FFDF8324290
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF834535013_2_00007FFDF8345350
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF834431013_2_00007FFDF8344310
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8306B7013_2_00007FFDF8306B70
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF830BB8013_2_00007FFDF830BB80
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF833939013_2_00007FFDF8339390
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83213F013_2_00007FFDF83213F0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83253F013_2_00007FFDF83253F0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF830644013_2_00007FFDF8306440
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF830EC6013_2_00007FFDF830EC60
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8305CD013_2_00007FFDF8305CD0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF831C48013_2_00007FFDF831C480
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF835149013_2_00007FFDF8351490
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF834452013_2_00007FFDF8344520
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF831D53013_2_00007FFDF831D530
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF833054013_2_00007FFDF8330540
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8321D4013_2_00007FFDF8321D40
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8325D4013_2_00007FFDF8325D40
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83354E013_2_00007FFDF83354E0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF833BCF013_2_00007FFDF833BCF0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8336CF013_2_00007FFDF8336CF0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF831CCF013_2_00007FFDF831CCF0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF82F7D4013_2_00007FFDF82F7D40
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF833DDB013_2_00007FFDF833DDB0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF831DDB013_2_00007FFDF831DDB0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF830FDC013_2_00007FFDF830FDC0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8342D6013_2_00007FFDF8342D60
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF834AD6013_2_00007FFDF834AD60
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF830957013_2_00007FFDF8309570
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF833A62013_2_00007FFDF833A620
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF832F63013_2_00007FFDF832F630
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF834365013_2_00007FFDF8343650
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8308DF013_2_00007FFDF8308DF0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8315E1013_2_00007FFDF8315E10
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83226A013_2_00007FFDF83226A0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF82F768013_2_00007FFDF82F7680
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF831E6C013_2_00007FFDF831E6C0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF82F966013_2_00007FFDF82F9660
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF832CE6013_2_00007FFDF832CE60
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF82F1EC013_2_00007FFDF82F1EC0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF82FB6B013_2_00007FFDF82FB6B0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83A58A013_2_00007FFDF83A58A0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83908B013_2_00007FFDF83908B0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83830D013_2_00007FFDF83830D0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF839F88013_2_00007FFDF839F880
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83A609013_2_00007FFDF83A6090
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83AB9C013_2_00007FFDF83AB9C0
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8382A6013_2_00007FFDF8382A60
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83992F013_2_00007FFDF83992F0
    Source: C:\Program Files\douwan\DouWan.exeCode function: String function: 665B5C00 appears 63 times
    Source: C:\Program Files\douwan\DouWan.exeCode function: String function: 00007FFDF8395B40 appears 91 times
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 488 -p 6016 -ip 6016
    Source: ucrtbase.dll.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: winusbcoinstaller2.dll.13.drStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Microsoft Standalone Update, 256987 bytes, 4 files, at 0x44 +A "WSUSSCAN.cab" +A "Windows6.0-KB971286-x64.cab", flags 0x4, number 1, extra bytes 20 in head, 9 datablocks, 0x1 compression
    Source: winusbcoinstaller2.dll.13.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
    Source: zlib.dll.0.drStatic PE information: Number of sections : 20 > 10
    Source: libyuv.dll.0.drStatic PE information: Number of sections : 11 > 10
    Source: SDL2.dll.0.drStatic PE information: Number of sections : 12 > 10
    Source: api-ms-win-core-interlocked-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-util-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-private-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-console-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-process-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-timezone-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l2-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-debug-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-localization-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-profile-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-datetime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-math-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-locale-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-time-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-file-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-environment-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-stdio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-handle-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-synch-l1-2-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-processthreads-l1-1-1.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-utility-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-conio-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-heap-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-convert-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-runtime-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-crt-string-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: api-ms-win-core-memory-l1-1-0.dll.0.drStatic PE information: No import functions for PE file found
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1946757341.0000000002768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSDL2.dllR vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2061092199.000000000276D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqpdf.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1974462657.0000000002768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQt5Svg.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemDNSResponder.exe0 vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqico.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1970961082.0000000002767000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQt5Core.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1967927887.000000000539F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQt5Gui.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1950528544.000000000539F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqgenericbearer.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqwebp.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1975833286.0000000002760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2026176484.0000000002765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqjpeg.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1966796857.0000000002767000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1952159816.0000000002763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1960704021.0000000002764000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1975555251.0000000002764000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQt5Widgets.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2008620374.0000000002763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcr120.dll^ vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035023796.0000000002767000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDouWan-VcamD vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2005869200.0000000002763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp140_1.dllT vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2029501912.0000000002768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140_1.dllT vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibEGL.dll. vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1971477190.0000000002765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqtga.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqgif.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqsvg.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980040599.000000000276B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WM/OriginalFilename vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980040599.000000000276B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WM/AlbumArtistalbum_artistWM/AlbumTitlealbumAuthorartistDescriptioncommentWM/ComposercomposerWM/EncodedByencoded_byWM/EncodingSettingsencoderWM/GenregenreWM/LanguagelanguageWM/OriginalFilenamefilenameWM/PartOfSetdiscWM/PublisherpublisherWM/ToolWM/TrackNumbertrackWM/MediaStationCallSignservice_providerWM/MediaStationNameservice_name vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1962649521.0000000002769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1969291087.0000000002766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2007148156.0000000002776000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp140_atomic_wait.dllT vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2006507143.0000000002765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp140_2.dllT vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2007460777.0000000002760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp140_codecvt_ids.dllT vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqwbmp.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2035809160.000000000276A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDouWan-VcamD vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdater.exe> vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1957395280.0000000002763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1975064291.0000000002767000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1961200502.000000000276D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2005336941.0000000002766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp140.dllT vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqsvgicon.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1968718763.000000000276B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1958028208.0000000002763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1958336058.0000000002760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2028977593.000000000276B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1951145726.0000000002764000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqwindows.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1967370015.000000000539F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1953634392.0000000002768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1954389433.000000000276E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1959537310.0000000002766000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1972586201.0000000002762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqicns.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2004495885.0000000002763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcp120.dll^ vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1968211264.0000000002760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1956289930.000000000539F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1981616576.0000000002769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameconcrt140.dllT vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2009613605.000000000276C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsvcrt.dllj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1973073432.000000000276A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1973926819.0000000002765000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqtiff.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSFXCAB.EXEj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWUDF_UPDATE_PACKAGE_NAME.dllj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibusb0.dllF vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameinstall-filter.exe\ vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibusb0.sysZ vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibusbK.sys8 vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibusbK.dll8 vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1955770091.000000000276C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1970380215.000000000276E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1961731915.0000000002767000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1960125828.000000000276C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1971962294.000000000539F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameQt5Network.dll( vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1963965499.000000000276E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1954930161.0000000002769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1969876451.000000000276B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezlib1.dll* vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1952925751.0000000002769000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs DouWan-Video-Setup-En-4.3.0.3-x64.exe
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: Qt5Core.dll.0.drStatic PE information: Section: .qtmimed ZLIB complexity 0.997458770800317
    Source: adb.exe.0.drStatic PE information: Section: .data ZLIB complexity 0.989382571585903
    Source: classification engineClassification label: sus26.evad.winEXE@24/194@2/5
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040348F
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_00404822 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404822
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_004021A2 CoCreateInstance,0_2_004021A2
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwanJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DouWanJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4520:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_03
    Source: C:\Program Files\douwan\DouWan.exeMutant created: \Sessions\1\BaseNamedObjects\Global\wdi_destroy_list
    Source: C:\Program Files\douwan\DouWan.exeMutant created: \Sessions\1\BaseNamedObjects\Global\wdi_create_list
    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6016
    Source: C:\Program Files\douwan\DouWan.exeMutant created: \Sessions\1\BaseNamedObjects\Global\wdi_register_logger
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsfFCB5.tmpJump to behavior
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile read: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe "C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe"
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="DouWan" dir=in action=allow program="C:\Program Files\douwan\DouWan.exe"
    Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam32.dll"
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud32.dll"
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam64.dll"
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam64.dll"
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud64.dll"
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud64.dll"
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Program Files\douwan\DouWan.exe "C:\Program Files\douwan\DouWan.exe"
    Source: C:\Program Files\douwan\DouWan.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
    Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -pss -s 488 -p 6016 -ip 6016
    Source: C:\Program Files\douwan\DouWan.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6016 -s 3156
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="DouWan" dir=in action=allow program="C:\Program Files\douwan\DouWan.exe"Jump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam32.dll"Jump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud32.dll"Jump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam64.dll"Jump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud64.dll"Jump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Program Files\douwan\DouWan.exe "C:\Program Files\douwan\DouWan.exe"Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam64.dll"Jump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud64.dll"Jump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
    Source: C:\Windows\System32\WerFault.exeProcess created: unknown unknown
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: linkinfo.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: ntshrui.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: cscapi.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: quartz.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: quartz.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: quartz.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: quartz.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\regsvr32.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: avformat-58.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: avcodec-58.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: avutil-56.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: swresample-3.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: libairplay.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcam.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: sdl2.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: libyuv.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: qt5widgets.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: qt5gui.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: qt5network.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: qt5core.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: msvcp140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: wlanapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: opengl32.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: d3d9.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: d3dx9_43.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: douwanaudio.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: avutil-56.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: mfplat.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: version.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: msvcp140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: qt5core.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: msvcp140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: qt5core.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: msvcp140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: msvcp140_1.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: qt5core.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: msvcp140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: version.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: netapi32.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: msvcp140_1.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140_1.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: douwan.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: vcruntime140.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: glu32.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: w32-pthreads.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: swscale-5.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: zlib.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: rtworkq.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: quserex.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: wtsapi32.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: appxdeploymentclient.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: netprofm.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: npmproxy.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: libcrypto-1_1-x64.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: mmdevapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: avrt.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: napinsp.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: pnrpnsp.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: wshbth.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: nlaapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: winrnr.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: wscapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: airplayinput.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: windows.devices.radios.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: dbghelp.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: windows.devices.bluetooth.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: windows.networking.hostname.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: windows.networking.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: biwinrt.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: windows.networking.connectivity.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: firewallapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: fwbase.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: mdnsresponder.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: capabilityaccessmanagerclient.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: cryptdll.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: windows.devices.enumeration.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: structuredquery.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: windows.globalization.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: bcp47mrm.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: icu.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: mswb7.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: devdispitemprovider.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: atlthunk.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: qt5pdf.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: qt5svg.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
    Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: DouWan.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\douwan\DouWan.exe
    Source: DouWan.lnk0.0.drLNK file: ..\..\..\Program Files\douwan\DouWan.exe
    Source: Uninstall DouWan.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\douwan\uninst.exe
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile written: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\ioSpecial.iniJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeAutomated click: I accept the terms of the License Agreement
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeAutomated click: Next >
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeAutomated click: Install
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeWindow detected: < &Back&Next >CancelNullsoft Install System v3.06.1 Nullsoft Install System v3.06.1License AgreementPlease review the license terms before installing DouWan 4.3.0.3.Press Page Down to see the rest of the agreement.END-USER LICENSE AGREEMENTIMPORTANT: PLEASE READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE CONTINUING WITH THIS PROGRAM INSTALL:This End-User License Agreement ("EULA") is a binding legal agreement between You the "User" (an individual or single entity) and XinDawn(the "Company") concerning its Software Products such as DouWan for Mac OS DouWan Universal for Windows or DouWan for Linux including associated software components media printed and electronic documentation. By installing copying or otherwise using the Company's Software Products you agree to be bound by the terms and conditions of this EULA. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA DO NOT INSTALL OR USE ANY OF THE COMPANY'S SOFTWARE PRODUCTS.Date of EULA - June 8 20201. LICENSE GRANT. A. The Software Products are licensed not sold.B.Subject to the terms of this EULA You are granted a limited personal revocable worldwide non-assignable non-sublicenseable non-transferable and non-exclusive license to install and use the Software Products. C.You may install and use 1 copy of a Software Product on 1 computer that belongs to You and you may make 1 copy of a Software Product for backup and archival purposes. You are not permitted any other rights concerning distribution of a Software Product.D. You agree not to translate modify sell lease rent loan redistribute sub-lease sub-license make copies of (unless expressly permitted under this License) or create derivative works from a Software Product or any part of a Software Product. Any such unauthorized works developed by You and any Intellectual Property Rights embodied therein shall be the sole and exclusive property of the Company; and End User hereby assigns all rights in them (including moral rights) the Company. To the extent Intellectual Property Rights embodied therein are not eligible to be transferred by operation of the law the Company shall be granted exclusive rights to use to the widest extent lawfully possible.E. You agree not to alter merge modify adapt or translate a Software Product or decompile reverse engineer disassemble or otherwise reduce a Software Product to a human-perceivable form. F. This license does NOT guarantee you the right to future upgrades or updates of a Software Product and the Company reserves the right to charge for future upgrades or updates of a Software Product.2. TYPES OF LICENSESThe Company sells and distributes each Software Product under different types of licenses (e.g. education consumer business enterprise etc.) and each type of license contains additional use restrictions. When You purchase a license You agree that at the time of purchase You qualify for that version of the license. If Your representation is inaccurate or false the Compan
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwanJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\AdbWinApi.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\AdbWinUsbApi.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\AirPlayInput.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\DouWan.exeJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\EndUserLicenseAgreement.rtfJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\Qt5Core.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\Qt5Gui.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\Qt5Network.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\Qt5Svg.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\Qt5Widgets.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\SDL2.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\SoftwareLicence.txtJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\adb.exeJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-console-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-debug-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-file-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-file-l1-2-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-file-l2-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-handle-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-heap-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-localization-l1-2-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-memory-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-profile-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-string-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-synch-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-synch-l1-2-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-core-util-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-math-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-private-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-process-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-string-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-time-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\avcodec-58.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\avformat-58.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\avutil-56.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\concrt140.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\d3dcompiler_47.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\d3dx9_43.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\douwan.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\douwanaudio.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libEGL.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libGLESv2.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libairplay.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libcrypto-1_1-x64.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libssl-1_1-x64.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\libyuv.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\mDNSResponder.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp120.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp140.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp140_1.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp140_2.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp140_atomic_wait.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcp140_codecvt_ids.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcr120.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\msvcrt.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\opengl32sw.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\swresample-3.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\swscale-5.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\ucrtbase.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\updater.exeJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\vcam.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\vccorlib140.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\vcruntime140.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\vcruntime140_1.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\w32-pthreads.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\zlib.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCamJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\default.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\default_p.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\douwan-virtualaud32.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\douwan-virtualaud64.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\douwan-virtualcam32.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\VCam\douwan-virtualcam64.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\bearerJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\bearer\qgenericbearer.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboardJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\dashboard.cssJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\dashboard.htmlJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\iconJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\icon\details.svgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\icon\edit.svgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\icon\group.svgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\DlgDeviceGroupEditor.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\DlgDevicePreview.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\DlgGroupEditor.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\api.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\app.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\deviceGrid.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\deviceGridItem.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\deviceGroupServ.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\deviceServ.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\js\ws.min.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendorsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTreeJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\CORSJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\eleTree.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\cssJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\css\icon.cssJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\fontsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.eotJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.svgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.ttfJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.woffJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\imagesJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\checkFull.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\checkHalf.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\checkNone.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\dropdownOff.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\dropdownOn.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\fold.jpgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\fold.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\leaf.jpgJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\leaf.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\radioCheck.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\dashboard\vendors\eleTree\images\radioCheckNone.pngJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\iconenginesJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\iconengines\qsvgicon.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformatsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qgif.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qicns.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qico.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qjpeg.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qpdf.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qsvg.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qtga.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qtiff.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qwbmp.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\imageformats\qwebp.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\platformsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\platforms\qwindows.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\pluginsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\plugins\64bitJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\plugins\64bit\win-wasapi.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\plugins\64bit\xindawn-audio.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\plugins\64bit\xindawn-output.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\restfulJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\restful\api.htmlJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\restful\api.jsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\restful\help.htmlJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\stylesJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\styles\qwindowsvistastyle.dllJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translationsJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_ar.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_bg.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_ca.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_cs.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_da.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_de.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_en.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_es.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_fi.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_fr.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_gd.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_he.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_hu.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_it.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_ja.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_ko.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_lv.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_pl.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_ru.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_sk.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_tr.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_uk.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\translations\qt_zh_TW.qmJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDirectory created: C:\Program Files\douwan\uninst.exeJump to behavior
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exeStatic PE information: certificate valid
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exeStatic file information: File size 46547184 > 1048576
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1973926819.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtsvg\plugins\imageformats\qsvg.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2063026937.0000000002762000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3dx9_43.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1987242741.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2026176484.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1954389433.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1952159816.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\qtscrcpy\win_updater\bin\x64\Release\Updater.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2027026799.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcrt.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2009613605.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Network.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1966796857.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\install-filter.pdbH source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1969876451.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_1.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2005869200.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\svnmain\googlecode\usb-travis\trunk\libusbk\bin\sys\amd64\libusbK.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\bearer\qgenericbearer.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Android\libairplay\iRecorder\src\main\cpp\build-64\LibAirPlay\Release\libairplay.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\install-filter.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1956289930.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1969291087.0000000002766000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\work\mesa\git\mesa\build\windows-x86_64\gallium\targets\libgl-gdi\opengl32.pdbu source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwebp.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2067024729.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qico.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2059564165.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\concrt140.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1981616576.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1960125828.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1950528544.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_atomic_wait.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2007148156.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1972586201.0000000002762000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcr120.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2008620374.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\svnmain\googlecode\usb-travis\trunk\libusbk\bin\dll\amd64\libusbK.pdbH source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Gui.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_2.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2006507143.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1961200502.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1975555251.0000000002764000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdbBB source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\svnmain\googlecode\usb-travis\trunk\libusbk\bin\dll\amd64\libusbK.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1955770091.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: sfxcab.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qgif.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058236702.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1959537310.0000000002766000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtga.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2064503548.000000000276A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: F:\Temp\openssl-1.1.1g\libcrypto-1_1-x64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1958028208.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1960704021.0000000002764000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2058945176.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1971962294.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\qtscrcpy-new-new\output\win\x64\release\DouWan.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1961731915.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Android\libairplay\iRecorder\src\main\cpp\build-64\LibAirPlay\Release\libairplay.pdb} source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1973073432.000000000276A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libswscale\swscale-5.pdb''' source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\work\mesa\git\mesa\build\windows-x86_64\gallium\targets\libgl-gdi\opengl32.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Z:\airparrot-windows\dependencies\mdnsresponder\mDNSResponder\mDNSWindows\SystemService\x64\Release\mDNSResponder.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2003555293.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\platforms\qwindows.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2068735910.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2029501912.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\libEGL.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1991642582.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1970380215.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1975064291.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1970961082.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\install-filter.pdbp source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdbH source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtsvg\plugins\iconengines\qsvgicon.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2057603547.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: F:\Temp\openssl-1.1.1g\libssl-1_1-x64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2005336941.0000000002766000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: `OTHER`TEMP`PACKED<%s return value>internal error: failed to write debug data to pdb streaminternal error: failed to add section contributioninternal warning: PDB Error string is "%S"internal error: failed to close debug infointernal error: failed to close PDBinternal error: failed to open PDB for writing in streaminternal error: failed to create debug info in PDBinternal error: failed to add code section to debug infointernal error: failed to add module to debug infointernal error: failed to create type info in PDBinternal error: failed to create inline type info in PDBinternal error: failed to create source file store in PDBinternal error: failed to close source file store in PDBinternal error: failed to close module in debug infointernal error: failed to commit type info in PDBinternal error: failed to commit inline type info in PDBinternal error: failed to add section header to debug infointernal error: failed to append section header to pdbinternal error: failed to close section header in debug infointernal error: failed to close debug info in PDBinternal error: failed to commit PDBinternal error: PDB data too largeinternal error: PDB stream truncatedinternal error: failed to close source file storeinternal error: failed to close type infointernal error: pdb append failedfxl_4_0too many arguments to target TXtoo many outputs to target TXclip not supported in texture shadersinvalid reference to input semantic '%s%d'invalid reference to output semantic '%s%d'0123456789abcdef.pdbVPosSV_ViewportArrayIndexColorFailed to log error, redirecting to debug output: source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1985016363.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1958336058.0000000002760000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\amd64\libusb0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1974462657.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2028977593.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libswscale\swscale-5.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2025081385.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1967927887.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: msvcp120.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2004495885.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1963965499.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libavutil\avutil-56.pdbggg source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1952925751.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1953634392.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\bearer\qgenericbearer.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2036460974.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Core.pdbT source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1930517129.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D3DCompiler_47.pdbGCTL source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1985016363.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1968718763.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qjpeg.pdbRR source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtsvg\lib\Qt5Svg.pdb** source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1938693832.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ucrtbase.pdbUGP source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2026176484.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\libGLESv2.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\svnmain\googlecode\usb-travis\trunk\libusbk\bin\dll\i386\libusbK.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d3dx9_43.pdbH source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1987242741.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qtiff.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2065331964.000000000276A000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libavformat\avformat-58.pdb{{{ source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980040599.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1951145726.0000000002764000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1968211264.0000000002760000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1971477190.0000000002765000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: F:\Temp\openssl-1.1.1g\libcrypto-1_1-x64.pdbj source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\install-filter.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\libGLESv2.pdb2 source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1994133238.0000000002767000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1975833286.0000000002760000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D3DCompiler_47.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1985016363.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libavutil\avutil-56.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1967370015.000000000539F000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1962649521.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1954930161.0000000002769000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\hudun\AirPlayInput\x64\Release\AirPlayInput.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1898729932.000000000276E000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1957395280.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: E:\SDK\Qt\5.15.2\Src\qtwebengine\build_x64\plugins\imageformats\qpdf.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2061092199.000000000276D000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MT /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1g 21 Apr 2020built on: Tue Apr 21 14:24:00 2020 UTCplatform: VC-WIN64A-rttOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Widgets.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1945133125.0000000002763000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Dev\XindawnGit\ffmpeg\build_sdk-win-x64-clvs2017\libavformat\avformat-58.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980040599.000000000276B000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: z:\projects\libusb-win32-stage\ddk_make\output\i386\libusb0.pdbP source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtbase\plugins\imageformats\qjpeg.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2060362109.00000000027C9000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qwbmp.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2066028695.0000000002766000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: d:\a01\_work\2\s\\binaries\amd64ret\bin\amd64\\msvcp140_codecvt_ids.amd64.pdb source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2007460777.0000000002760000.00000004.00000020.00020000.00000000.sdmp
    Source: msvcrt.dll.0.drStatic PE information: 0xF5BDEFD7 [Wed Aug 25 08:27:03 2100 UTC]
    Source: qpdf.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9d25
    Source: FindProcDLL.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xf1e2
    Source: System.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x82fd
    Source: nsExec.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xc5ea
    Source: uninst.exe.0.drStatic PE information: real checksum: 0x2c6f39c should be: 0x6a125
    Source: douwan-virtualaud32.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x5f3e6
    Source: avformat-58.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xacaca
    Source: douwan-virtualaud64.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x72f39
    Source: InstallOptions.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xf13f
    Source: Qt5Core.dll.0.drStatic PE information: section name: .qtmimed
    Source: SDL2.dll.0.drStatic PE information: section name: .xdata
    Source: adb.exe.0.drStatic PE information: section name: .buildid
    Source: adb.exe.0.drStatic PE information: section name: .gcc_exc
    Source: qsvgicon.dll.0.drStatic PE information: section name: .qtmetad
    Source: qgif.dll.0.drStatic PE information: section name: .qtmetad
    Source: qicns.dll.0.drStatic PE information: section name: .qtmetad
    Source: qico.dll.0.drStatic PE information: section name: .qtmetad
    Source: qjpeg.dll.0.drStatic PE information: section name: .qtmetad
    Source: qpdf.dll.0.drStatic PE information: section name: .qtmetad
    Source: qsvg.dll.0.drStatic PE information: section name: .qtmetad
    Source: qtga.dll.0.drStatic PE information: section name: .qtmetad
    Source: qtiff.dll.0.drStatic PE information: section name: .qtmetad
    Source: qwbmp.dll.0.drStatic PE information: section name: .qtmetad
    Source: qwebp.dll.0.drStatic PE information: section name: .qtmetad
    Source: qwindows.dll.0.drStatic PE information: section name: .qtmetad
    Source: qwindowsvistastyle.dll.0.drStatic PE information: section name: .qtmetad
    Source: douwan.dll.0.drStatic PE information: section name: _RDATA
    Source: libyuv.dll.0.drStatic PE information: section name: .00cfg
    Source: libyuv.dll.0.drStatic PE information: section name: .gehcont
    Source: libyuv.dll.0.drStatic PE information: section name: .gxfg
    Source: libyuv.dll.0.drStatic PE information: section name: .voltbl
    Source: libyuv.dll.0.drStatic PE information: section name: _RDATA
    Source: opengl32sw.dll.0.drStatic PE information: section name: _RDATA
    Source: vcam.dll.0.drStatic PE information: section name: _RDATA
    Source: vcruntime140.dll.0.drStatic PE information: section name: _RDATA
    Source: zlib.dll.0.drStatic PE information: section name: .xdata
    Source: zlib.dll.0.drStatic PE information: section name: /4
    Source: zlib.dll.0.drStatic PE information: section name: /19
    Source: zlib.dll.0.drStatic PE information: section name: /31
    Source: zlib.dll.0.drStatic PE information: section name: /45
    Source: zlib.dll.0.drStatic PE information: section name: /57
    Source: zlib.dll.0.drStatic PE information: section name: /70
    Source: zlib.dll.0.drStatic PE information: section name: /81
    Source: zlib.dll.0.drStatic PE information: section name: /92
    Source: douwan-virtualcam64.dll.0.drStatic PE information: section name: _RDATA
    Source: qgenericbearer.dll.0.drStatic PE information: section name: .qtmetad
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam32.dll"
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_6AD1844E push rbx; ret 13_2_6AD1844F
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\libairplay.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\msvcp140_1.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\msvcp140_codecvt_ids.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\libcrypto-1_1-x64.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\avcodec-58.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\iconengines\qsvgicon.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\msvcp120.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\vcruntime140_1.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\SDL2.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\msvcr120.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\styles\qwindowsvistastyle.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\Qt5Network.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\mDNSResponder.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\w32-pthreads.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\VCam\douwan-virtualcam64.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\bearer\qgenericbearer.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\plugins\64bit\win-wasapi.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\AdbWinUsbApi.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\libEGL.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\imageformats\qtiff.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\vcruntime140.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\Qt5Svg.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\msvcp140.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\FindProcDLL.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\AdbWinApi.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\platforms\qwindows.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\concrt140.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\libGLESv2.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\msvcp140_atomic_wait.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\nsExec.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\swscale-5.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\adb.exeJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\douwan.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\d3dcompiler_47.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\Qt5Gui.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\imageformats\qgif.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\ucrtbase.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\Qt5Core.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\VCam\douwan-virtualcam32.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-file-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-console-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\plugins\64bit\xindawn-audio.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-util-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\imageformats\qwebp.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\imageformats\qwbmp.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\VCam\douwan-virtualaud32.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\douwan\DouWan.exeFile created: C:\Users\user\AppData\Local\Temp\libusbK.sysJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\InstallOptions.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\imageformats\qpdf.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\libyuv.dllJump to dropped file
    Source: C:\Program Files\douwan\DouWan.exeFile created: C:\Users\user\AppData\Local\Temp\winusbcoinstaller2.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\VCam\douwan-virtualaud64.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\vcam.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\DouWan.exeJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\uninst.exeJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\swresample-3.dllJump to dropped file
    Source: C:\Program Files\douwan\DouWan.exeFile created: C:\Users\user\AppData\Local\Temp\libusb0.sysJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\imageformats\qsvg.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\imageformats\qico.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\vccorlib140.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\msvcrt.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\libssl-1_1-x64.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\opengl32sw.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\zlib.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\imageformats\qtga.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\imageformats\qjpeg.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\d3dx9_43.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\imageformats\qicns.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\douwanaudio.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\Qt5Widgets.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\plugins\64bit\xindawn-output.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\avutil-56.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\msvcp140_2.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\updater.exeJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\avformat-58.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\AirPlayInput.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\EndUserLicenseAgreement.rtfJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Program Files\douwan\EndUserLicenseAgreement.rtfJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DouWanJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DouWan\DouWan.lnkJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DouWan\Uninstall DouWan.lnkJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Query firmware table information (likely to detect VMs)
    Source: C:\Program Files\douwan\DouWan.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeSystem information queried: FirmwareTableInformationJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\msvcp140_codecvt_ids.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\VCam\douwan-virtualcam32.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-file-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\iconengines\qsvgicon.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\msvcp120.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-console-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\plugins\64bit\xindawn-audio.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\msvcr120.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-util-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\styles\qwindowsvistastyle.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\imageformats\qwebp.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\imageformats\qwbmp.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\VCam\douwan-virtualcam64.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\bearer\qgenericbearer.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\VCam\douwan-virtualaud32.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\plugins\64bit\win-wasapi.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\douwan\DouWan.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libusbK.sysJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\AdbWinUsbApi.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\InstallOptions.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\imageformats\qpdf.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\libEGL.dllJump to dropped file
    Source: C:\Program Files\douwan\DouWan.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\winusbcoinstaller2.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\VCam\douwan-virtualaud64.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\imageformats\qtiff.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\uninst.exeJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\FindProcDLL.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
    Source: C:\Program Files\douwan\DouWan.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\libusb0.sysJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\AdbWinApi.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\platforms\qwindows.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\concrt140.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\imageformats\qsvg.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\imageformats\qico.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\vccorlib140.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\libssl-1_1-x64.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\opengl32sw.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\imageformats\qtga.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\libGLESv2.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\msvcp140_atomic_wait.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\nsExec.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\imageformats\qjpeg.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\adb.exeJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\imageformats\qicns.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\plugins\64bit\xindawn-output.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\msvcp140_2.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\updater.exeJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\d3dcompiler_47.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeDropped PE file which has not been started: C:\Program Files\douwan\imageformats\qgif.dllJump to dropped file
    Source: C:\Program Files\douwan\DouWan.exeFile opened: PhysicalDrive0Jump to behavior
    Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile Volume queried: C:\Program Files FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeFile Volume queried: C:\Program Files FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_00406739 FindFirstFileW,FindClose,0_2_00406739
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_00405AED GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405AED
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_00402902 FindFirstFileW,0_2_00402902
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LLVMX86_FP80TypeKind
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: invalid PARAM usage_mesa_symbol_table_push_scope_mesa_symbol_table_add_global_symbol_mesa_symbol_table_add_symbolARB_ARB_position_invariantexpfog_linearexp2nicestprecision_hint_draw_buffersfastestfragment_coord_fragment_program_shadowpixel_center_integerorigin_upper_leftATI_fatal flex scanner internal error--no action foundfatal error - scanner input buffer overflowfatal flex scanner internal error--end of buffer missedout of dynamic memory in yy_get_next_buffer()input in flex scanner failedout of dynamic memory in _mesa_program_lexer__create_buffer()flex scanner push-back overflowout of dynamic memory in _mesa_program_lexer__scan_buffer()out of dynamic memory in _mesa_program_lexer_ensure_buffer_stack()bad buffer in _mesa_program_lexer__scan_bytes()out of dynamic memory in _mesa_program_lexer__scan_bytes()_mesa_program_lexer_set_column called with no buffer_mesa_program_lexer_set_lineno called with no bufferVMware, Inc.SOFTPIPE_USE_LLVMUnexpected PIPE_CAP %d query
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: t2t1dst0t3dst2dst1dst3LLVMVoidTypeKindLLVMDoubleTypeKindLLVMFloatTypeKindLLVMFP128TypeKindLLVMX86_FP80TypeKindLLVMLabelTypeKindLLVMPPC_FP128TypeKindLLVMFunctionTypeKindLLVMIntegerTypeKindLLVMArrayTypeKindLLVMStructTypeKindLLVMVectorTypeKindLLVMPointerTypeKindunknown LLVMTypeKindLLVMMetadataTypeKindVector [%u] of %s
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWare, Inc.
    Source: DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .?AVQEmulationPaintEngine@@
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeAPI call chain: ExitProcess graph end nodegraph_0-3883
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8354A60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00007FFDF8354A60
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_6AD13D30 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_6AD13D30
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8354A60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00007FFDF8354A60
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF8354BAC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00007FFDF8354BAC
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83B30D4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00007FFDF83B30D4
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_00007FFDF83B3220 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_00007FFDF83B3220
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="DouWan" dir=in action=allow program="C:\Program Files\douwan\DouWan.exe"Jump to behavior
    Source: C:\Program Files\douwan\DouWan.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\platforms\qwindows.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\styles\qwindowsvistastyle.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\bearer\qgenericbearer.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\Qt5Network.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\Qt5Network.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\Qt5Network.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\imageformats\qgif.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\imageformats\qicns.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\imageformats\qico.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\imageformats\qjpeg.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\imageformats\qpdf.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\imageformats\qtga.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\imageformats\qwbmp.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeQueries volume information: C:\Program Files\douwan\iconengines\qsvgicon.dll VolumeInformationJump to behavior
    Source: C:\Program Files\douwan\DouWan.exeCode function: 13_2_6AD13C50 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,13_2_6AD13C50
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeCode function: 0_2_0040348F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040348F
    Source: C:\Program Files\douwan\DouWan.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Modifies the windows firewall
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="DouWan" dir=in action=allow program="C:\Program Files\douwan\DouWan.exe"
    Uses netsh to modify the Windows network and firewall settings
    Source: C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="DouWan" dir=in action=allow program="C:\Program Files\douwan\DouWan.exe"

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		2
    Disable or Modify Tools    		11
    Input Capture    		1
    System Time Discovery    		Remote Services11
    Archive Collected Data    		1
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    DLL Search Order Hijacking    		1
    DLL Search Order Hijacking    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory3
    File and Directory Discovery    		Remote Desktop Protocol11
    Input Capture    		11
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAt1
    Windows Service    		1
    Access Token Manipulation    		2
    Obfuscated Files or Information    		Security Account Manager46
    System Information Discovery    		SMB/Windows Admin Shares1
    Clipboard Data    		3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCron1
    Registry Run Keys / Startup Folder    		1
    Windows Service    		1
    Software Packing    		NTDS131
    Security Software Discovery    		Distributed Component Object ModelInput Capture14
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
    Process Injection    		1
    Timestomp    		LSA Secrets12
    Virtualization/Sandbox Evasion    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
    Registry Run Keys / Startup Folder    		1
    DLL Side-Loading    		Cached Domain Credentials1
    Process Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Search Order Hijacking    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
    Masquerading    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
    Virtualization/Sandbox Evasion    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
    Access Token Manipulation    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd11
    Process Injection    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
    Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
    Regsvr32    		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467120 Sample: DouWan-Video-Setup-En-4.3.0... Startdate: 03/07/2024 Architecture: WINDOWS Score: 26 51 usbserver.douwan.video 2->51 53 api.douwan.video 2->53 8 DouWan-Video-Setup-En-4.3.0.3-x64.exe 7 230 2->8         started        process3 file4 37 C:\Program Files\douwan\DouWan.exe, PE32+ 8->37 dropped 39 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->39 dropped 41 C:\Users\user\AppData\Local\...\System.dll, PE32 8->41 dropped 43 108 other files (none is malicious) 8->43 dropped 61 Uses netsh to modify the Windows network and firewall settings 8->61 63 Modifies the windows firewall 8->63 12 DouWan.exe 23 8->12         started        17 netsh.exe 2 8->17         started        19 regsvr32.exe 8->19         started        21 3 other processes 8->21 signatures5 process6 dnsIp7 55 api.douwan.video 101.200.59.29, 443, 49738, 49747 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 12->55 57 usbserver.douwan.video 47.104.158.224, 49740, 49741, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 12->57 59 3 other IPs or domains 12->59 45 C:\Users\user\...\winusbcoinstaller2.dll, PE32+ 12->45 dropped 47 C:\Users\user\AppData\Local\...\libusbK.sys, PE32+ 12->47 dropped 49 C:\Users\user\AppData\Local\...\libusb0.sys, PE32+ 12->49 dropped 65 Query firmware table information (likely to detect VMs) 12->65 23 WMIC.exe 12->23         started        25 WerFault.exe 12->25         started        27 conhost.exe 17->27         started        29 regsvr32.exe 48 19->29         started        31 regsvr32.exe 9 21->31         started        file8 signatures9 process10 process11 33 conhost.exe 23->33         started        35 WerFault.exe 27->35         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    DouWan-Video-Setup-En-4.3.0.3-x64.exe0%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files\douwan\AdbWinApi.dll0%ReversingLabs
    C:\Program Files\douwan\AdbWinUsbApi.dll3%ReversingLabs
    C:\Program Files\douwan\AirPlayInput.dll0%ReversingLabs
    C:\Program Files\douwan\DouWan.exe0%ReversingLabs
    C:\Program Files\douwan\Qt5Core.dll0%ReversingLabs
    C:\Program Files\douwan\Qt5Gui.dll0%ReversingLabs
    C:\Program Files\douwan\Qt5Network.dll0%ReversingLabs
    C:\Program Files\douwan\Qt5Svg.dll0%ReversingLabs
    C:\Program Files\douwan\Qt5Widgets.dll0%ReversingLabs
    C:\Program Files\douwan\SDL2.dll0%ReversingLabs
    C:\Program Files\douwan\VCam\douwan-virtualaud32.dll0%ReversingLabs
    C:\Program Files\douwan\VCam\douwan-virtualaud64.dll0%ReversingLabs
    C:\Program Files\douwan\VCam\douwan-virtualcam32.dll0%ReversingLabs
    C:\Program Files\douwan\VCam\douwan-virtualcam64.dll0%ReversingLabs
    C:\Program Files\douwan\adb.exe0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-heap-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-locale-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-math-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-multibyte-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-private-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-process-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-runtime-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-stdio-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-string-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-time-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\api-ms-win-crt-utility-l1-1-0.dll0%ReversingLabs
    C:\Program Files\douwan\avcodec-58.dll0%ReversingLabs
    C:\Program Files\douwan\avformat-58.dll0%ReversingLabs
    C:\Program Files\douwan\avutil-56.dll0%ReversingLabs
    C:\Program Files\douwan\bearer\qgenericbearer.dll0%ReversingLabs
    C:\Program Files\douwan\concrt140.dll0%ReversingLabs
    C:\Program Files\douwan\d3dcompiler_47.dll0%ReversingLabs
    C:\Program Files\douwan\d3dx9_43.dll0%ReversingLabs
    C:\Program Files\douwan\douwan.dll0%ReversingLabs
    C:\Program Files\douwan\douwanaudio.dll0%ReversingLabs
    C:\Program Files\douwan\iconengines\qsvgicon.dll0%ReversingLabs
    C:\Program Files\douwan\imageformats\qgif.dll0%ReversingLabs
    C:\Program Files\douwan\imageformats\qicns.dll0%ReversingLabs
    C:\Program Files\douwan\imageformats\qico.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
    http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
    http://ocsp.thawte.com00%URL Reputationsafe
    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
    http://secure.globalsign.net/cacert/ObjectSign.crt090%Avira URL Cloudsafe
    https://www.douwan.video/https://www.douwan.video0%Avira URL Cloudsafe
    http://repository.certum.pl/cscasha2.cer00%Avira URL Cloudsafe
    http://libwdi.akeo.ie1.3.6.1.5.5.7.2.1http://libwdi-cps.akeo.ieCryptEncodeObjectCreateSelfSignedCert0%Avira URL Cloudsafe
    http://developer.android.com/tools/device.htmlinsufficient0%Avira URL Cloudsafe
    http://www.phreedom.org/md5)08:270%Avira URL Cloudsafe
    https://cdn.staticfile.org/axios/1.4.0/axios.min.js0%Avira URL Cloudsafe
    https://douwan.video/compatibility0%Avira URL Cloudsafe
    http://www.plutinosoft.com/blog/projects/platinumDMR-1.50urn:schemas-upnp-org:metadata-1-0/AVT/urn:u0%Avira URL Cloudsafe
    https://douwan.videoPublisher0%Avira URL Cloudsafe
    https://www.douwan.video0%Avira URL Cloudsafe
    https://github.com/hsiangleev/eleTree.git0%Avira URL Cloudsafe
    http://www.globalsign.net/repository/00%Avira URL Cloudsafe
    http://libusb-win32.sourceforge.net0%Avira URL Cloudsafe
    http://bugreports.qt.io/0%Avira URL Cloudsafe
    http://www.plutinosoft.com/blog/projects/platinum0%Avira URL Cloudsafe
    https://xindawn.douwan.video/0000000012345678TEST0%Avira URL Cloudsafe
    https://cdn.staticfile.org/layui/2.8.3/layui.js0%Avira URL Cloudsafe
    https://douwan.video/compatibility.html0%Avira URL Cloudsafe
    http://schemas.xmlsoap.org/soap/encoding/encodingStyle(res0%Avira URL Cloudsafe
    https://streams.videolan.org/upload/0%Avira URL Cloudsafe
    https://api.douwan.video/v1/app/getMessage?uuid=w61f0b7401cce31b61af8ef16887023fb&softversion=4.3.0.3&limituse=1&language=en-us&lang=en0%Avira URL Cloudsafe
    http://www.globalsign.net/repository090%Avira URL Cloudsafe
    http://subca.ocsp-certum.com010%Avira URL Cloudsafe
    https://cdn.staticfile.org/layui/2.8.11/css/layui.min.css0%Avira URL Cloudsafe
    https://cdn.staticfile.org/layui/2.8.3/css/layui.min.css0%Avira URL Cloudsafe
    http://sensics.com/osvr0%Avira URL Cloudsafe
    http://developer.android.com/tools/device.html0%Avira URL Cloudsafe
    http://qt-project.org/0%Avira URL Cloudsafe
    http://www.certum.pl/CPS00%Avira URL Cloudsafe
    http://www.gnu.org/licenses/0%Avira URL Cloudsafe
    http://www.gnu.org/philosophy/why-not-lgpl.html0%Avira URL Cloudsafe
    https://xindawn.douwan.video/0%Avira URL Cloudsafe
    https://community.freescale.com/message/493287#4932870%Avira URL Cloudsafe
    http://www.phreedom.org/md5)0%Avira URL Cloudsafe
    http://repository.certum.pl/ctnca.cer090%Avira URL Cloudsafe
    https://www.douwan.video/0%Avira URL Cloudsafe
    https://www.openssl.org/docs/faq.html0%Avira URL Cloudsafe
    http://www.aiim.org/pdfa/ns/id/0%Avira URL Cloudsafe
    http://crl.certum.pl/ctnca.crl0k0%Avira URL Cloudsafe
    http://www.color.org)0%Avira URL Cloudsafe
    http://www.plutinosoft.com0%Avira URL Cloudsafe
    https://www.certum.pl/CPS00%Avira URL Cloudsafe
    http://cscasha2.ocsp-certum.com040%Avira URL Cloudsafe
    http://qt.io/licensing/0%Avira URL Cloudsafe
    http://crl.certum.pl/cscasha2.crl0q0%Avira URL Cloudsafe
    http://libusb.info0%Avira URL Cloudsafe
    https://bugs.freedesktop.org/enter_bug.cgi?product=Mesa0%Avira URL Cloudsafe
    http://llvm.org/):0%Avira URL Cloudsafe
    http://secure.globalsign.net/cacert/PrimObject.crt00%Avira URL Cloudsafe
    http://libusb-win32.sourceforge.netd0%Avira URL Cloudsafe
    http://www.dns-sd.org/ServiceTypes.html0%Avira URL Cloudsafe
    http://libusb-win32.sourceforge.netb0%Avira URL Cloudsafe
    http://www.zlib.net/D0%Avira URL Cloudsafe
    http://libwdi-cps.akeo.ie0%Avira URL Cloudsafe
    https://www.openssl.org/H0%Avira URL Cloudsafe
    http://www.plutinosoft.comDevice0%Avira URL Cloudsafe
    https://api.douwan.video/v1/app/checkVersion?uuid=w61f0b7401cce31b61af8ef16887023fb&softversion=4.3.0.3&limituse=1&language=en-us&lang=en0%Avira URL Cloudsafe
    http://qt.io/0%Avira URL Cloudsafe
    http://fsf.org/0%Avira URL Cloudsafe
    http://schemas.xmlsoap.org/soap/envelope/(res0%Avira URL Cloudsafe
    http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.Netsca0%Avira URL Cloudsafe
    http://www.globalsign.net/repository/030%Avira URL Cloudsafe
    http://libusb-win32.sourceforge.netN0%Avira URL Cloudsafe
    https://cdn.staticfile.org/layui/2.8.11/layui.js0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    usbserver.douwan.video
    		47.104.158.224
    		truefalse
      		unknown
      api.douwan.video
      		101.200.59.29
      		truefalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://api.douwan.video/v1/app/getMessage?uuid=w61f0b7401cce31b61af8ef16887023fb&softversion=4.3.0.3&limituse=1&language=en-us&lang=enfalse
        • Avira URL Cloud: safe
        		unknown
        https://api.douwan.video/v1/app/checkVersion?uuid=w61f0b7401cce31b61af8ef16887023fb&softversion=4.3.0.3&limituse=1&language=en-us&lang=enfalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://secure.globalsign.net/cacert/ObjectSign.crt09DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.douwan.video/https://www.douwan.videoDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.phreedom.org/md5)08:27DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://repository.certum.pl/cscasha2.cer0DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://cdn.staticfile.org/axios/1.4.0/axios.min.jsDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2039883635.0000000002769000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://developer.android.com/tools/device.htmlinsufficientDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1949855131.000000000276E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://douwan.videoPublisherDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000002.2149947105.0000000000591000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1752250340.0000000002767000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/soap/envelope/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.plutinosoft.com/blog/projects/platinumDMR-1.50urn:schemas-upnp-org:metadata-1-0/AVT/urn:uDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://libwdi.akeo.ie1.3.6.1.5.5.7.2.1http://libwdi-cps.akeo.ieCryptEncodeObjectCreateSelfSignedCertDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://douwan.video/compatibilityDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000002.2149947105.0000000000591000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1752250340.0000000002767000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1925391754.000000000276E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://bugreports.qt.io/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.globalsign.net/repository/0DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.plutinosoft.com/blog/projects/platinumDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://github.com/hsiangleev/eleTree.gitDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2047407200.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.douwan.videoDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://xindawn.douwan.video/0000000012345678TESTDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://libusb-win32.sourceforge.netDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://cdn.staticfile.org/layui/2.8.3/layui.jsDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2072473118.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://douwan.video/compatibility.htmlDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1960046524.00000000005CD000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/soap/encoding/encodingStyle(resDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl.thawte.com/ThawteTimestampingCA.crl0DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://cdn.staticfile.org/layui/2.8.11/css/layui.min.cssDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2039883635.0000000002769000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://streams.videolan.org/upload/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1980844814.0000000002763000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://qt-project.org/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2089440667.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://subca.ocsp-certum.com01DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://cdn.staticfile.org/layui/2.8.3/css/layui.min.cssDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2072473118.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.globalsign.net/repository09DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://sensics.com/osvrDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://developer.android.com/tools/device.htmlDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1949855131.000000000276E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.certum.pl/CPS0DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://community.freescale.com/message/493287#493287DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.douwan.video/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.gnu.org/licenses/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://xindawn.douwan.video/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.phreedom.org/md5)DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://repository.certum.pl/ctnca.cer09DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.openssl.org/docs/faq.htmlDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/soap/encoding/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.aiim.org/pdfa/ns/id/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.gnu.org/philosophy/why-not-lgpl.htmlDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl.certum.pl/ctnca.crl0kDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://bugs.freedesktop.org/enter_bug.cgi?product=MesaDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://qt.io/licensing/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2089440667.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ocsp.thawte.com0DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.plutinosoft.comDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://nsis.sf.net/NSIS_ErrorErrorDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2099682729.0000000003551000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000000.1749727484.000000000040A000.00000008.00000001.01000000.00000003.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://www.certum.pl/CPS0DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.color.org)DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1935438601.000000000539F000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://crl.certum.pl/cscasha2.crl0qDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://libusb.infoDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1949855131.000000000276E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://cscasha2.ocsp-certum.com04DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://llvm.org/):DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2022852168.0000000002837000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://secure.globalsign.net/cacert/PrimObject.crt0DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://libusb-win32.sourceforge.netdDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.dns-sd.org/ServiceTypes.htmlDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.zlib.net/DDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2030842122.0000000002761000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.plutinosoft.comDeviceDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://libusb-win32.sourceforge.netbDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.openssl.org/HDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2001723181.000000000276B000.00000004.00000020.00020000.00000000.sdmp, DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2000530367.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://libwdi-cps.akeo.ieDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://qt.io/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2089440667.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://fsf.org/DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://schemas.xmlsoap.org/soap/envelope/(resDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1997876465.0000000002762000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://bugreports.qt.io/_q_receiveReplyensureClientPrefaceSentMicrosoft-IIS/4.Microsoft-IIS/5.NetscaDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1937267938.0000000002768000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://libusb-win32.sourceforge.netNDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://www.globalsign.net/repository/03DouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.1924613470.000000000276C000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://cdn.staticfile.org/layui/2.8.11/layui.jsDouWan-Video-Setup-En-4.3.0.3-x64.exe, 00000000.00000003.2039883635.0000000002769000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        47.104.158.224
        		usbserver.douwan.videoChina
        		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse
        239.255.255.250
        		unknownReserved
        		unknownunknownfalse
        101.200.59.29
        		api.douwan.videoChina
        		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfalse

        Private

        IP
        192.168.2.4
        127.0.0.1

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1467120
        Start date and time:2024-07-03 17:59:33 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 9m 49s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:22
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:DouWan-Video-Setup-En-4.3.0.3-x64.exe
        Detection:SUS
        Classification:sus26.evad.winEXE@24/194@2/5
        EGA Information:
        • Successful, ratio: 50%
        HCA Information:Failed
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 88.221.110.91, 192.229.221.95, 20.189.173.22
        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
        • Execution Graph export aborted for target DouWan.exe, PID 6016 because there are no executed function
        • Not all processes where analyzed, report is missing behavior information
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtDeviceIoControlFile calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: DouWan-Video-Setup-En-4.3.0.3-x64.exe

        Simulations

        Behavior and APIs

        TimeTypeDescription
        12:01:11API Interceptor179x Sleep call for process: DouWan.exe modified
        12:01:12API Interceptor1x Sleep call for process: WMIC.exe modified
        12:01:37API Interceptor1x Sleep call for process: WerFault.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        239.255.255.250Baylor.pdfGet hashmaliciousHTMLPhisherBrowse
          https://m.exactag.com/ai.aspx?tc=d9550673bc40b07205bbd26a23a8d2e6b6b4f9&url=%68%74%74%70%25%33%41tuskerdigital.com%2Fwinner%2F24968%2F%2FdHJ1bXBzdWNrc2RpY2tAbWFpbC5ydQ==Get hashmaliciousHTMLPhisherBrowse
            http://ferjex.comGet hashmaliciousUnknownBrowse
              Service Desk - Please verify your Account!.emlGet hashmaliciousHTMLPhisherBrowse
                https://mail.pfl.fyi/v1/messages/0190749a-2f6a-7c9f-b37a-88f0ae969ede/click?link_id=0190749a-2ffa-7f41-ad16-3ecda235df51&signature=3e892faf1c0137166fda82e5ff5c6a3150c2cec9Get hashmaliciousHTMLPhisherBrowse
                  http://beetrootculture.comGet hashmaliciousUnknownBrowse
                    https://url.us.m.mimecastprotect.com/s/GSubCpYn1pC4mvoJtD-hLP?domain=brileyfinancial-my.sharepoint.comGet hashmaliciousHTMLPhisherBrowse
                      https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=dmFsZXJpZS5jaHJ1c2NpZWxAb3Zlcmxha2Vob3NwaXRhbC5vcmc=Get hashmaliciousHTMLPhisherBrowse
                        NSLC_Billing_Document_No_0240255100.htmlGet hashmaliciousCVE-2024-21412Browse
                          https://isothermcx-my.sharepoint.com/:o:/p/m_chiasson/EldSmlva1OBFixvWpubo0mgB0DZQ4Do42riWb9YO1XmP-g?e=5%3av4rvfI&at=9Get hashmaliciousHTMLPhisherBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfuqDLDLV7g.exeGet hashmaliciousUnknownBrowse
                            • 106.14.228.183
                            watchdog.elfGet hashmaliciousMiraiBrowse
                            • 8.173.175.207
                            94.156.79.133-mips-2024-07-01T19_26_38.elfGet hashmaliciousMirai, GafgytBrowse
                            • 8.139.185.116
                            mirai.m68k.elfGet hashmaliciousMiraiBrowse
                            • 8.183.66.86
                            mirai.mpsl.elfGet hashmaliciousMiraiBrowse
                            • 139.247.140.211
                            mirai.ppc.elfGet hashmaliciousMiraiBrowse
                            • 223.6.55.177
                            https://worker-aliggggg.farnazmonsef1.workers.dev/Get hashmaliciousUnknownBrowse
                            • 39.107.0.195
                            https://mars.773670658.workers.dev/Get hashmaliciousUnknownBrowse
                            • 39.107.0.245
                            https://cloudflare-workers-pages-vless-2gi.pages.dev/Get hashmaliciousUnknownBrowse
                            • 39.107.0.244
                            https://khanesiiir.shiven-serafin.workers.dev/Get hashmaliciousUnknownBrowse
                            • 59.110.133.46
                            CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdfuqDLDLV7g.exeGet hashmaliciousUnknownBrowse
                            • 106.14.228.183
                            watchdog.elfGet hashmaliciousMiraiBrowse
                            • 8.173.175.207
                            94.156.79.133-mips-2024-07-01T19_26_38.elfGet hashmaliciousMirai, GafgytBrowse
                            • 8.139.185.116
                            mirai.m68k.elfGet hashmaliciousMiraiBrowse
                            • 8.183.66.86
                            mirai.mpsl.elfGet hashmaliciousMiraiBrowse
                            • 139.247.140.211
                            mirai.ppc.elfGet hashmaliciousMiraiBrowse
                            • 223.6.55.177
                            https://worker-aliggggg.farnazmonsef1.workers.dev/Get hashmaliciousUnknownBrowse
                            • 39.107.0.195
                            https://mars.773670658.workers.dev/Get hashmaliciousUnknownBrowse
                            • 39.107.0.245
                            https://cloudflare-workers-pages-vless-2gi.pages.dev/Get hashmaliciousUnknownBrowse
                            • 39.107.0.244
                            https://khanesiiir.shiven-serafin.workers.dev/Get hashmaliciousUnknownBrowse
                            • 59.110.133.46

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            28a2c9bd18a11de089ef85a160da29e4Baylor.pdfGet hashmaliciousHTMLPhisherBrowse
                            • 184.28.90.27
                            • 40.126.31.73
                            • 173.222.162.32
                            • 20.114.59.183
                            http://ferjex.comGet hashmaliciousUnknownBrowse
                            • 184.28.90.27
                            • 40.126.31.73
                            • 173.222.162.32
                            • 20.114.59.183
                            Service Desk - Please verify your Account!.emlGet hashmaliciousHTMLPhisherBrowse
                            • 184.28.90.27
                            • 40.126.31.73
                            • 173.222.162.32
                            • 20.114.59.183
                            http://beetrootculture.comGet hashmaliciousUnknownBrowse
                            • 184.28.90.27
                            • 40.126.31.73
                            • 173.222.162.32
                            • 20.114.59.183
                            https://url.us.m.mimecastprotect.com/s/GSubCpYn1pC4mvoJtD-hLP?domain=brileyfinancial-my.sharepoint.comGet hashmaliciousHTMLPhisherBrowse
                            • 184.28.90.27
                            • 40.126.31.73
                            • 173.222.162.32
                            • 20.114.59.183
                            NSLC_Billing_Document_No_0240255100.htmlGet hashmaliciousCVE-2024-21412Browse
                            • 184.28.90.27
                            • 40.126.31.73
                            • 173.222.162.32
                            • 20.114.59.183
                            https://isothermcx-my.sharepoint.com/:o:/p/m_chiasson/EldSmlva1OBFixvWpubo0mgB0DZQ4Do42riWb9YO1XmP-g?e=5%3av4rvfI&at=9Get hashmaliciousHTMLPhisherBrowse
                            • 184.28.90.27
                            • 40.126.31.73
                            • 173.222.162.32
                            • 20.114.59.183
                            http://booking.extnnehotteir.com/admin/o2shi1bka89Get hashmaliciousUnknownBrowse
                            • 184.28.90.27
                            • 40.126.31.73
                            • 173.222.162.32
                            • 20.114.59.183
                            Vertex Business Services_SKM_C950633210_650106.pdfGet hashmaliciousHTMLPhisherBrowse
                            • 184.28.90.27
                            • 40.126.31.73
                            • 173.222.162.32
                            • 20.114.59.183
                            https://www.filemail.com/t/RuKZYfeBGet hashmaliciousHTMLPhisherBrowse
                            • 184.28.90.27
                            • 40.126.31.73
                            • 173.222.162.32
                            • 20.114.59.183

                            Dropped Files

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            C:\Program Files\douwan\AdbWinUsbApi.dllhatabat.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                              SecuriteInfo.com.Win32.Trojan.Agent.M47LP3.18905.20801.exeGet hashmaliciousUnknownBrowse
                                SecuriteInfo.com.Win32.Trojan.Agent.M47LP3.18905.20801.exeGet hashmaliciousUnknownBrowse
                                  Red_Magic_Studio_international_release_V1.5.5_x86.exeGet hashmaliciousUnknownBrowse
                                    MDE_File_Sample_aa447845a64e29145a9489f43972beebcb33cfba.zipGet hashmaliciousUnknownBrowse
                                      https://www.mediafire.com/download_repair.php?qkey=v6y1shsvt0m1lh6&dkey=vkvdhxewiw8&template=51&origin=click_buttonGet hashmaliciousUnknownBrowse
                                        https://nuts.vysor.io/download/win32Get hashmaliciousUnknownBrowse
                                          file.exeGet hashmaliciousUnknownBrowse
                                            file.exeGet hashmaliciousUnknownBrowse
                                              YZgV0kQoYZ.exeGet hashmaliciousUnknownBrowse
                                                C:\Program Files\douwan\AdbWinApi.dllhatabat.exeGet hashmaliciousBlank Grabber, DCRat, XWormBrowse
                                                  SecuriteInfo.com.Win32.Trojan.Agent.M47LP3.18905.20801.exeGet hashmaliciousUnknownBrowse
                                                    SecuriteInfo.com.Win32.Trojan.Agent.M47LP3.18905.20801.exeGet hashmaliciousUnknownBrowse
                                                      Red_Magic_Studio_international_release_V1.5.5_x86.exeGet hashmaliciousUnknownBrowse
                                                        MDE_File_Sample_aa447845a64e29145a9489f43972beebcb33cfba.zipGet hashmaliciousUnknownBrowse
                                                          https://www.mediafire.com/download_repair.php?qkey=v6y1shsvt0m1lh6&dkey=vkvdhxewiw8&template=51&origin=click_buttonGet hashmaliciousUnknownBrowse
                                                            https://nuts.vysor.io/download/win32Get hashmaliciousUnknownBrowse
                                                              FaceID Pro.msiGet hashmaliciousUnknownBrowse
                                                                FaceID Pro.msiGet hashmaliciousUnknownBrowse
                                                                  file.exeGet hashmaliciousUnknownBrowse

                                                                    Created / dropped Files

                                                                    C:\Program Files\douwan\AdbWinApi.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):97792
                                                                    Entropy (8bit):6.290809134958502
                                                                    Encrypted:false
                                                                    SSDEEP:1536:Jwqdq+3pvspmLh8SCykrpTG7kfGHuNezq02XJqo+iFi1yCP:JwqD3L8Tezq0et+ui1y
                                                                    MD5:ED5A809DC0024D83CBAB4FB9933D598D
                                                                    SHA1:0BC5A82327F8641D9287101E4CC7041AF20BAD57
                                                                    SHA-256:D60103A5E99BC9888F786EE916F5D6E45493C3247972CB053833803DE7E95CF9
                                                                    SHA-512:1FDB74EE5912FBDD2C0CBA501E998349FECFBEF5F4F743C7978C38996AA7E1F38E8AC750F2DC8F84B8094DE3DD6FA3F983A29F290B3FA2CDBDAED691748BAF17
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Joe Sandbox View:
                                                                    • Filename: hatabat.exe, Detection: malicious, Browse
                                                                    • Filename: SecuriteInfo.com.Win32.Trojan.Agent.M47LP3.18905.20801.exe, Detection: malicious, Browse
                                                                    • Filename: SecuriteInfo.com.Win32.Trojan.Agent.M47LP3.18905.20801.exe, Detection: malicious, Browse
                                                                    • Filename: Red_Magic_Studio_international_release_V1.5.5_x86.exe, Detection: malicious, Browse
                                                                    • Filename: MDE_File_Sample_aa447845a64e29145a9489f43972beebcb33cfba.zip, Detection: malicious, Browse
                                                                    • Filename: , Detection: malicious, Browse
                                                                    • Filename: , Detection: malicious, Browse
                                                                    • Filename: FaceID Pro.msi, Detection: malicious, Browse
                                                                    • Filename: FaceID Pro.msi, Detection: malicious, Browse
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s............jF...........j@.....jV.....jG.....jQ.....jA.....jD....Rich...........PE..L.....U...........!.....F...R......Lz.......`....@.................................]"....@..........................E.......=..P....................................................................1..@...............l............................text....E.......F.................. ..`.data...d....`.......J..............@....rsrc................\..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\AdbWinUsbApi.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):62976
                                                                    Entropy (8bit):6.157225899022573
                                                                    Encrypted:false
                                                                    SSDEEP:1536:l72doFmOiHizFbPlspcsbj5ZsP+YeTs1p:lSSfN9+YeTs1p
                                                                    MD5:0E24119DAF1909E398FA1850B6112077
                                                                    SHA1:293EEDADB3172E756A421790D551E407457E0A8C
                                                                    SHA-256:25207C506D29C4E8DCEB61B4BD50E8669BA26012988A43FBF26A890B1E60FC97
                                                                    SHA-512:9CBB26E555AB40B019A446337DB58770B9A0C9C08316FF1E1909C4B6D99C00BD33522D05890870A91B4B581E20C7DCE87488AB0D22FC3C4BBDD7E9B38F164B43
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 3%
                                                                    Joe Sandbox View:
                                                                    • Filename: hatabat.exe, Detection: malicious, Browse
                                                                    • Filename: SecuriteInfo.com.Win32.Trojan.Agent.M47LP3.18905.20801.exe, Detection: malicious, Browse
                                                                    • Filename: SecuriteInfo.com.Win32.Trojan.Agent.M47LP3.18905.20801.exe, Detection: malicious, Browse
                                                                    • Filename: Red_Magic_Studio_international_release_V1.5.5_x86.exe, Detection: malicious, Browse
                                                                    • Filename: MDE_File_Sample_aa447845a64e29145a9489f43972beebcb33cfba.zip, Detection: malicious, Browse
                                                                    • Filename: , Detection: malicious, Browse
                                                                    • Filename: , Detection: malicious, Browse
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    • Filename: file.exe, Detection: malicious, Browse
                                                                    • Filename: YZgV0kQoYZ.exe, Detection: malicious, Browse
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!Q%.@?v.@?v.@?v.8.v.@?v.@>v.@?v.8.v.@?v.8.v.@?v.8.v.@?v.8.v.@?v.8.v.@?v.8.v.@?vRich.@?v........................PE..L...1..U...........!.........8......JC............@..........................0............@.............................^.......d.......0............................................................/..@............................................text...N........................... ..`.data...............................@....rsrc...0...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\AirPlayInput.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):3931752
                                                                    Entropy (8bit):5.779360649151879
                                                                    Encrypted:false
                                                                    SSDEEP:49152:bLzzbaXYRO5x0teZkBF+8JKPsG6umKn8dSLnF/I:bgx/c4x1g
                                                                    MD5:149211C249C058C7E5169B5AF005EC27
                                                                    SHA1:CA8D3656837CB611F2BD9385142BA4792C44C55C
                                                                    SHA-256:FFEFB6962A0F1FEA4B69D6F70856E47E0D7266716154BE35D8C512F5206F42D0
                                                                    SHA-512:D290163A479A518A7ED94BEE84F2F0C1E1C62F290E2F1B7AF78F52CAC8E963F86FFED294C64D9CB147B41EE03B75AD83BB9D91E1EEDD79CFDAB81A38CAE5526D
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........d.........................................................6...<......<.......<.....<.......Rich............PE..d...H.{d.........." .....^:..@........9.......................................;.....{e<...`...........................................;.......;.......;.......;..#....;.hf....;.......:.p.....................:.(....:.8............p:..............................text...7\:......^:................. ..`.rdata.......p:......b:.............@..@.data....\...0;..T....;.............@....pdata...#....;..$...n;.............@..@.rsrc.........;.......;.............@..@.reloc........;.......;.............@..B........................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\DouWan.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19631720
                                                                    Entropy (8bit):7.859382534698343
                                                                    Encrypted:false
                                                                    SSDEEP:393216:0mktwQB7JBNFbpphZ6ZleuXUF6Rw3pa3dTyTv97Hus:TUJB71Z6ZYevIp4yZHb
                                                                    MD5:E9A3B9746938F5A64159092AB84A9A9E
                                                                    SHA1:008A2BD684BC44AB4EE285E754BABBB69E8920AA
                                                                    SHA-256:7EB32BE702274510889601D2078BE62F786D3FFD80BD71F75EDC584D0772168C
                                                                    SHA-512:4439EC60D0323B6D60D618BF3333F3361B4B9181DA76B0691369B4CCAD353FF768ADAE906C417F52033AE367F50E00D1DEAA36B2023668FEE5C286DAE5F9D863
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$..............@...@...@..y@..@.[.@...@(.v@...@...A...@...@...@...A..@...A..@...A...@...A...@|..A..@...@...@..v@...@O..A...@m..A...@a..A..@m..A...@9..A..@...A..@...@...@O..A...@O..Aa..@O..@...@..}@...@O..A...@Rich...@........................PE..d.....-f.........."...........C.....P..........@............................. T......o,...`.....................................................4.....M.p....@M......(+.hf....S.p......T.......................(... ...8............@...B...........................text....-.......................... ..`.rdata..*"...@...$...2..............@..@.data...`.,..p ......V .............@....pdata.......@M......X$.............@..@.rsrc...p.....M.......$.............@..@.reloc..p.....S.......*.............@..B................................................................................................................................

                                                                    C:\Program Files\douwan\EndUserLicenseAgreement.rtf

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Rich Text Format data, version 1, ANSI, code page 936, default middle east language ID 1025
                                                                    Category:dropped
                                                                    Size (bytes):62025
                                                                    Entropy (8bit):5.211883870718143
                                                                    Encrypted:false
                                                                    SSDEEP:384:Y1e/PVpz5FW68ZoF+CfCBpFv6RabiWUAToDK8uEoEsYGa/GVBjSllbMi6rGs+nia:Y1DAVCBpFwWBoDKORuXSOqmYNLoJ0f
                                                                    MD5:ADF1CE3B1BA19C00EB98C4C227920DB6
                                                                    SHA1:82BDDD283C03BAC6008F6D67B158D9D309DAD3C0
                                                                    SHA-256:8D1CDA37DF7FDFF78F409C7327E409CF79BD032F18120EE2DA495223D1EDA97E
                                                                    SHA-512:3FCD738A7C84B5C05F2F0C23F741B4C302BF11D9E95ADDF8EEE37131CEEB74F79266DA0DC9E285ECE893A04110BAF2A2B434AC62016834197C074E03393A21FD
                                                                    Malicious:false
                                                                    Preview:{\rtf1\adeflang1025\ansi\ansicpg936\uc2\adeff0\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe2052\themelang1033\themelangfe2052\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\f36\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'b5\'c8\'cf\'df{\*\falt DengXian};}{\f45\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}@\'b5\'c8\'cf\'df;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'b5\'c8\'cf\'df Light;}..{\fhimajor\f31502\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}\'b5\'c8\'cf\'df Light;}{\fbimajor\f31503\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\flominor\f31504\fbidi \froman\fcharset0\fprq2{\*\panose

                                                                    C:\Program Files\douwan\Qt5Core.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):6023664
                                                                    Entropy (8bit):6.768988071491288
                                                                    Encrypted:false
                                                                    SSDEEP:98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
                                                                    MD5:817520432A42EFA345B2D97F5C24510E
                                                                    SHA1:FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
                                                                    SHA-256:8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
                                                                    SHA-512:8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................

                                                                    C:\Program Files\douwan\Qt5Gui.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):7008240
                                                                    Entropy (8bit):6.674290383197779
                                                                    Encrypted:false
                                                                    SSDEEP:49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
                                                                    MD5:47307A1E2E9987AB422F09771D590FF1
                                                                    SHA1:0DFC3A947E56C749A75F921F4A850A3DCBF04248
                                                                    SHA-256:5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
                                                                    SHA-512:21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\Qt5Network.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1340400
                                                                    Entropy (8bit):6.41486755163134
                                                                    Encrypted:false
                                                                    SSDEEP:24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
                                                                    MD5:3569693D5BAE82854DE1D88F86C33184
                                                                    SHA1:1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
                                                                    SHA-256:4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
                                                                    SHA-512:E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\Qt5Svg.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):330736
                                                                    Entropy (8bit):6.381828869454302
                                                                    Encrypted:false
                                                                    SSDEEP:6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
                                                                    MD5:03761F923E52A7269A6E3A7452F6BE93
                                                                    SHA1:2CE53C424336BCC8047E10FA79CE9BCE14059C50
                                                                    SHA-256:7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
                                                                    SHA-512:DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\Qt5Widgets.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):5498352
                                                                    Entropy (8bit):6.619117060971844
                                                                    Encrypted:false
                                                                    SSDEEP:49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
                                                                    MD5:4CD1F8FDCD617932DB131C3688845EA8
                                                                    SHA1:B090ED884B07D2D98747141AEFD25590B8B254F9
                                                                    SHA-256:3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
                                                                    SHA-512:7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\SDL2.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1497704
                                                                    Entropy (8bit):6.624848760418836
                                                                    Encrypted:false
                                                                    SSDEEP:24576:M1ie+fkFwAX1cB93Fg5gagiHXJv43EIDX0disOe8eHHHHHHroCYswGHuKEkjgrg9:MhiAMeHXJvPIqoCHuKEkjgr+64VHRLaG
                                                                    MD5:C77C66F7C9BFD217A6E98F373EBA9DCA
                                                                    SHA1:6F2620B6696EAF1D1612764120240525533735F9
                                                                    SHA-256:C0EA0AE92A8BECE1D0013004D443DB8076565E843CCBF434107DCAE11AD88FA6
                                                                    SHA-512:E06088B3093A97FB600589D71A8A860347AD77FB1899FF3D23BDB9F8CC221759A8C0200DC2CB07830898B50FA2E640BB0ABB05989A86889D3AEE4C900F3F23D5
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....R...p...6............tl............................. ......5.....`... ......................................P...O.......-..............t....t..hf......h........................... ...(...................l...h............................text....P.......R..................`.P`.data...PO...p...P...V..............@.`..rdata..p...........................@.`@.pdata..t...........................@.0@.xdata.......p.......@..............@.0@.bss.....5............................`..edata...O...P...P..................@.0@.idata...-...........(..............@.0..CRT....X............V..............@.@..tls....h............X..............@.`..rsrc................Z..............@.0..reloc..h............^..............@.0B................................................................................................................................

                                                                    C:\Program Files\douwan\SoftwareLicence.txt

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:ISO-8859 text, with very long lines (489), with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):6875
                                                                    Entropy (8bit):6.245590944826417
                                                                    Encrypted:false
                                                                    SSDEEP:192:LPhoCMphQgXndTpSgpucO9Yd/mkzi+qg5iJtHmpS:LX6hxgYNmQO
                                                                    MD5:F72D6D2612CA3E8B67D51E476375DCDC
                                                                    SHA1:D4C444EE5DDF654151ABEA2F3B794C83B7FC0746
                                                                    SHA-256:7C6163C086B84D88007E4C753052174EAFA607BBF45495BBBE91F0A2578724D3
                                                                    SHA-512:0D34E3D6D27C731643268742ACFE463FDCEC98F999230388FC1C33B9877BB7860DFEDD71F0A8D1364E336B971982488DD0E07F6EE311BA3CA287A3348CD957E3
                                                                    Malicious:false
                                                                    Preview:.....................................................................,.........................................1) .........................................................USB.......ID..VID...........(PID).................................., ........................., .........................................................(....."...")........... (....."........") ................................................... (..............)........... .........(.....".." .... "...")..........................................................................................................(.... "..." ........)......................................................................................... .......................................... (1) ............................................(2) ..........

                                                                    C:\Program Files\douwan\VCam\default.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PNG image data, 1920 x 1080, 8-bit/color RGB, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):53140
                                                                    Entropy (8bit):7.6180529158753165
                                                                    Encrypted:false
                                                                    SSDEEP:768:Q9WSrFJwPFNQqgZ+N1OHYjPHfK+AkeDNvh5a+gb3qShA0lZXWxfdPq1W8p:SHrF37ZjYrS+Adhvh5aFeShtT0fdPb8p
                                                                    MD5:A4B283F470C19FF38434A413D4DAAFF7
                                                                    SHA1:47E5E8FE704D27681C882D735E35F35A279066F9
                                                                    SHA-256:1645921EBBD0E19E1D68A881988400C0D6A0D79EFBA6C2BE92F16F21AC6E484E
                                                                    SHA-512:EC22E74D31AD7D8AA727DD978CEC8319C1D00EC38119CB3A1778B352C588B2925A642FBE5403CD07BB4470D7CCCF594850E8CC2DA02146EB0AEF764EA48D42CB
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR.......8.....g.V.....pHYs................ciTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpRights="http://ns.adobe.com/xap/1.0/rights/" xmp:CreateDate="2021-10-29T16:24:21+08:00" xmp:ModifyDate="2021-10-29T16:44:55+08:00" xmp:MetadataDate="2021-10-29T16:44:55+08:00" xmp:CreatorTool="Adobe Photoshop CS Windows" xmpMM:DocumentID="adobe:docid:ph

                                                                    C:\Program Files\douwan\VCam\default_p.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PNG image data, 1080 x 1920, 8-bit/color RGB, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):54731
                                                                    Entropy (8bit):7.704415118306273
                                                                    Encrypted:false
                                                                    SSDEEP:1536:4HAcydzd6JeWy4gMW2NnCoF6oao7zg0ltmM3wi88XmIQeAixgA:OeWIcTFao7zHCEwi88XHQeA9A
                                                                    MD5:8D694DC935C445FBE72AADE248D8FE9E
                                                                    SHA1:A00B070017632177F1D04370580B6998D57FF484
                                                                    SHA-256:A5EE2B2C570DD5C4B86130BD787855FCF7B97BC2D0AD42CBB656F57300444F2E
                                                                    SHA-512:D369892D7E4B32256E538BA5B9A3C78A7FE2BA9634ED0797254E564A0574BA1CA06383482C909E76C90E234762A4EF95B646CCF48474276D14E620CC3FC59E14
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR...8...........p]....pHYs................ciTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c142 79.160924, 2017/07/13-01:06:39 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:tiff="http://ns.adobe.com/tiff/1.0/" xmlns:exif="http://ns.adobe.com/exif/1.0/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpRights="http://ns.adobe.com/xap/1.0/rights/" xmp:CreateDate="2021-11-02T09:30:45+08:00" xmp:ModifyDate="2021-11-02T09:33:09+08:00" xmp:MetadataDate="2021-11-02T09:33:09+08:00" xmp:CreatorTool="Adobe Photoshop CS Windows" xmpMM:DocumentID="adobe:docid:ph

                                                                    C:\Program Files\douwan\VCam\douwan-virtualaud32.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):363008
                                                                    Entropy (8bit):6.734997162253399
                                                                    Encrypted:false
                                                                    SSDEEP:6144:w0C97Q/liRPfsj4QSSoJxzu2E9qql7hUqT4UZ3NiMdtrU+I8Pah7ZsAQAY7L5oug:wtfZDSoJxSVqeaqtNfrBI8ChNwJ3qQVf
                                                                    MD5:2465B102E66FFC0F3F60C2A91677B6C3
                                                                    SHA1:20C95ED7221AF160ADEE6290CA0E1397932E6754
                                                                    SHA-256:F56A07CC259656B15E1EF0E52C4BB8D204239B73232E959E6BB488EB36F538F6
                                                                    SHA-512:3A51605EB56175ADABFF8E0274CFB0D316B5E12BD05EBF8AC3147E34BE6DC429C404498550FEA36B21E0DB2BB5CF02753EBA539BDD2089CAF7AF05C3564FA243
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(.wml|.>l|.>l|.>e..>`|.>>..?n|.>...?d|.>>..?~|.>>..?f|.>>..?e|.>...?h|.>...?a|.>l|.>.|.>...?j|.>...?m|.>...>m|.>...?m|.>Richl|.>........................PE..L......d...........!.................l....................................................@..........................\......T]..................................L*...F..8...........................PF..@............................................text.............................. ..`.rdata..............................@..@.data... ....p.......T..............@....rsrc................\..............@..@.reloc..L*.......,...^..............@..B................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\VCam\douwan-virtualaud64.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):424448
                                                                    Entropy (8bit):6.528400148711937
                                                                    Encrypted:false
                                                                    SSDEEP:6144:l9ufcbVJp2+YmFLjwARH0eH6FpJkt6rQJmHBtzO3+dw34utki3/:Xla+YmFDl0TNOOdwo
                                                                    MD5:00422B0D543E059D3205AAF098BE929B
                                                                    SHA1:BD50AD243DB64EEA16498945C2C90A935A103619
                                                                    SHA-256:37F8B8AF15E802A3F3A282878AC968D54168604276704A5A93335BC05F20732A
                                                                    SHA-512:193612E1C5F063804E9719EE7BA9F7344ACDEA9CB5886F8DEECD5343998B75E7D4668E6376352373F3F185540469F9DC312C28013A87748D489F4F0427646748
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........&F..H...H...H.......H...I...H.(.L...H.?.M..H...M..H...L..H...K...H...L...H...I...H...I.y.H.N.A...H.N.H...H.N....H.N.J...H.Rich..H.................PE..d......d.........." .....>...@............................................................`..........................................3.......3...............p..84..............0...p...8...............................8............P..x............................text...|=.......>.................. ..`.rdata..f....P.......B..............@..@.data........P.......4..............@....pdata..84...p...6...>..............@..@.rsrc................t..............@..@.reloc..0............v..............@..B........................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\VCam\douwan-virtualcam32.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):179968
                                                                    Entropy (8bit):6.746128883988802
                                                                    Encrypted:false
                                                                    SSDEEP:3072:pnuOudV8zoMeT7ZJTsEMFrPJn6ABs2LfXRLk3U1Kei3VISKIi:MFMeTsfF9nxXkE17
                                                                    MD5:7001AC4CEA57EE0EC7E94033E314BE43
                                                                    SHA1:DBA06DD023FCF4AD322DCD278F8CAC470C73546F
                                                                    SHA-256:4123F2E442B58EE1A1EBCB4F2B28233F9C34A21F5D76A4764DF0551B9D007195
                                                                    SHA-512:212DDD7F1F3E70E85A43C0422D27F75D6CDA7A62EA94484C41A1ADA01779133738039672D02588C4E82DFFC2E1DBD14F6C9D4D7DB996E378152B846042E67F73
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L.P-..P-..P-..]..Z-..]...-...X..A-...X..C-...X..}-..]..H-..].._-..P-...-...X..Y-...X..S-...X..Q-...XK.Q-..P-#.Q-...X..Q-..RichP-..................PE..L....qfc...........!.................................................................G....@.........................`@......<A..d....p...............d...[..........<"..............................X"..@............................................text...C........................... ..`.rdata..n...........................@..@.data........P.......4..............@....rsrc........p.......B..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\VCam\douwan-virtualcam64.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):220928
                                                                    Entropy (8bit):6.420737800915876
                                                                    Encrypted:false
                                                                    SSDEEP:3072:f3EpIiutwAYEi7jbe3cxPHI2eWBRK6LwZkfejItTyPrIREIo:f0stwAy7jbesxAALYkWv
                                                                    MD5:B15156490BBF33C4C63338A09E92D1FB
                                                                    SHA1:2C73D2A34288CE92F8E17A4F34CB9F2CC59D08BA
                                                                    SHA-256:878EB097795F24E9B5F91DAAF692A2E03CB2EC1F3F4B27650127F3CAE854CA12
                                                                    SHA-512:FAD938FAB88657B1BCB660C2277FC8E534F3815073C1104E546B58A841E7213E2F5A6255865AF6880A343DF9E4026C01B86B487C3CB5E0CB8872D916A9EA13B3
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............q..q..q.0.r..q.0.t.].q..u..q..r..q..t...q.0.u..q.0.p..q..p.x.q.a.t..q.a.u..q.a.q..q.a...q.....q.a.s..q.Rich.q.........PE..d....qfc.........." .........B...............................................`......>n....`......................................... ...........d....@...................[...P......`...................................8............................................text............................... ..`.rdata..............................@..@.data....(..........................@....pdata..............................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

                                                                    C:\Program Files\douwan\adb.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):2583552
                                                                    Entropy (8bit):6.904573623601341
                                                                    Encrypted:false
                                                                    SSDEEP:24576:Bn/8Bfnucbnb2EXBGBtsh843Z/gUsDxmcM3h9siTik5aUq2DW1rdDqzCPaBq4qD+:MhbJO4FvEDol3FhpeUChxTxiVxFVup
                                                                    MD5:C752064585CE1C47CF113FC776E0D678
                                                                    SHA1:91F594BFD06BA34BDC4A0ACD2B0D570DA0FEB7BC
                                                                    SHA-256:F1F654DF0A74B171DA34750B4FF34F15A49B75D45AED54123B72998AEF619968
                                                                    SHA-512:08F3E8F4139294781765E822747F6F3C09370C093E259F3C0B9E07E8629A497D1720951B4C99606B3B86F5D5D15C213B1559D710BC8D00CEF18F90732098647B
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4.4......................................"...@...........................).....W.'...@..........................!......v"...............................(..-....".....................h.......................P~".<............................text...J........................... .0`.rdata..V...........................@.0@.buildid5.....".......".............@.0@.data...h}....".......".............@.0..gcc_exc,#...@(..$....&.............@.0@.tls.........p(......<&.............@.0..reloc...-....(......>&.............@.0B........................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-console-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19136
                                                                    Entropy (8bit):6.977816585768534
                                                                    Encrypted:false
                                                                    SSDEEP:192:MgWuufhW3a4V10b8uDBks/nGfe4pBjS7EQ8WebtuVaVWQ4eWbKqnajy3Snk0lpn:1W5hWq+10vq0GftpBj5fZblGinjXn
                                                                    MD5:CDE2424D99DB56DD0D1EAF34811738C1
                                                                    SHA1:CC7889C43729B93A4E193B2FD6AE5F22B6AD6B8F
                                                                    SHA-256:4CEAF28CADFD0929B44E9C686B93432A7151504C8FFE2A6AFE516F9B16538131
                                                                    SHA-512:D5B8EF2DE3FEFDE29B2C9CCCB330C3076BA71D6AE29E1B34617057D8A832D37EAE8E2F238E2ABB6EB226453C00A835C669A7C03A00CD1698D02272D8EB6998E2
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0.......}....`.........................................@...,............ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-datetime-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18112
                                                                    Entropy (8bit):7.09311174316202
                                                                    Encrypted:false
                                                                    SSDEEP:192:hEWuufhWr2ivT16uDBks/nGfe4pBjSbGPKA8WebtuVaVWQ4mWOC9qnajjpxf9c98:aW5hWPvT1Nq0GftpBjjeZRC9lBLcT+
                                                                    MD5:ACF4321AC8C8FF4D0442C799D621F8D9
                                                                    SHA1:B12F87E6AFC48697F1CE8B587715361E89B79CAE
                                                                    SHA-256:69B84F7318798A91143E3D273AE9C0BEDAABBA930E3702447D493E2B8DD70725
                                                                    SHA-512:7878A7CD62F9D259A6BAB05E13E9AC5B16437C0D8BDA46E864F205465AE19531E5655D7547AE1594A53A05DDEB8B0C6058A73CAEB21CD7C81FE5A424303D3BDE
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0......A.....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-debug-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18112
                                                                    Entropy (8bit):7.100655720468333
                                                                    Encrypted:false
                                                                    SSDEEP:384:M7eW5hWlo+10vq0GftpBj2uZwDkIldBQ7QMI:YkeinqDFQnI
                                                                    MD5:3C47C25B8141D20B2B4D576000000A61
                                                                    SHA1:04543F9CDD847FF66389C9FD1E12B444DAE6383A
                                                                    SHA-256:290030199E8B47D6BCF466F9FC81FEE7E6AEBC2C16A3F26DD77019F795658956
                                                                    SHA-512:C599EF06045583B28FAAC051909C28F5F2FA56C34D47F3BD49EFC101A1CDCB571A298EB100D0B381E3EBB1BA19B2FB4DD5127F259EB8AB183753722ECBE0F10A
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0............`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18624
                                                                    Entropy (8bit):7.016852351557027
                                                                    Encrypted:false
                                                                    SSDEEP:192:MmxD3KXWuufhW+sivT16uDBks/nGfe4pBjSfhXa8WebtuVaVWQ42WyMsVqnaj87p:MVXW5hWyvT1Nq0GftpBjSZgkldri
                                                                    MD5:E05CE0232E64328C62C9DA37698566BF
                                                                    SHA1:50C25E6ECEC2CD17ECF3117BB9A646BA107D2B84
                                                                    SHA-256:573AED3F3EB436F9B7C24D51BE3BE2105DEB8149EBDA9B964660930C957B2410
                                                                    SHA-512:8093BD5D1AD96D759A5D9183FCA27D7CB756E0884776673F132D20119E602EA33F8121893B9B90965B0EB5710E244FAF4E2AD738479998FC2C5DC37F83FE18CB
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0......2.....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-file-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):22208
                                                                    Entropy (8bit):6.921727130531402
                                                                    Encrypted:false
                                                                    SSDEEP:192:sohaYPvVX8rFTscWuufhWrlFO0ruDBks/nGfe4pBjSb68WebtuVaVWQ4mWst1qnq:JTPvVXiW5hWB80aq0GftpBjQZplBLcQ
                                                                    MD5:A26C7FFCF18B62904DAB7786DE638EA6
                                                                    SHA1:B28489BC38EE2F522EE83DCF49FAEB96F39A77E3
                                                                    SHA-256:74075B7AF84378CEE0D035C020B320EE52A120B21F71A4972093C9E23D534830
                                                                    SHA-512:768C8D7818ACACF83D8BD020AB239408673F6CF9E0E8F1BE1DAB2DD58C5DF4E45B970BAF7D8D09887280BE0788790EACD6126274DEACA6B1C4B7BAD3E335B34F
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................@.......u....`.........................................@................0...................<..............8............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-file-l1-2-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18624
                                                                    Entropy (8bit):6.997205498206374
                                                                    Encrypted:false
                                                                    SSDEEP:192:ByWuufhWrRivT16uDBks/nGfe4pBjSb9bXe8WebtuVaVWQ4mWWrRHqnajjpxf9cS:ByW5hW0vT1Nq0GftpBjSbRZnlHlBLcYl
                                                                    MD5:6A55A7E284B51B086B63CC6F2061CE8B
                                                                    SHA1:46A48A1CCF5262038B71ED4BE09CF625009D078D
                                                                    SHA-256:D9973270A952B4CE615104520051E847B26E4B1CC330A5A95BA1AE128F0DFDEB
                                                                    SHA-512:6A6BA643BF15581CD579E383BAC351CCAE714D50453CFF52CAC7DCF5BD472A170E7D33B0509C7BD50C5E76E8A0304FA88DCAD63A9E2CD0694A5C56F4A21AE363
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0......8_....`.........................................@...L............ ...................<..............8............................................................................rdata..(...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-file-l2-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18624
                                                                    Entropy (8bit):7.057705366147816
                                                                    Encrypted:false
                                                                    SSDEEP:192:HX6WuufhWr7FO0ruDBks/nGfe4pBjSbnUqs28WebtuVaVWQ4mWOYVqnaj87X/fA2:HX6W5hWX80aq0GftpBj2spZkldrps
                                                                    MD5:6E38A6BED88E1C27155E4DC428188EF0
                                                                    SHA1:8B47A1960ED157F7BEEB80FA4A16A723279C4EFA
                                                                    SHA-256:144D3A28E43E47FC1CCE956255CC80467D4A6FBBB8F612EC6D85F62DE030A924
                                                                    SHA-512:3B801875BC5A483EEA6D6CC43015E759EE1F66C12585F698CB92368455F25B5309617C8BEAE39945CADB57009A9C9A9CE21C18DEC28E86097C67D8FC5F9FEBAB
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....0oX.........." .........................................................0......7/....`.........................................@................ ...................<..............8............................................................................rdata..l...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-handle-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18624
                                                                    Entropy (8bit):6.9977224301759895
                                                                    Encrypted:false
                                                                    SSDEEP:192:KKWuufhWr2ivT16uDBks/nGfe4pBjSbYA/8WebtuVaVWQ4mW7TqnajPf33PLlYoM:9W5hWHvT1Nq0GftpBj4UZAljZYsqTr
                                                                    MD5:9304209688E2A18D0B26997BC78FDA7A
                                                                    SHA1:5D4332CF1C5123418C6419D0291486C3939E8785
                                                                    SHA-256:D6BC1509FD2D4EA07E661F2F59395B4D71907D16F59942443A5D460DF343DBF4
                                                                    SHA-512:5952E192B6150055BC88E672FB0254BC962ABD27AFB5C30CD0F52EDE98AD84EBA9966D721B3B6602116FF40AD5C489A24EAC35DDE77397DB88AA46AD2BD18960
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0............`.........................................@...`............ ...................<..............8............................................................................rdata..@...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-heap-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18624
                                                                    Entropy (8bit):7.076923984600289
                                                                    Encrypted:false
                                                                    SSDEEP:192:3liWuufhW3XUxQmLuDBks/nGfe4pBjS7LX28We8WebtuVaVWQ4eWmQQPqnajy3Ss:3liW5hWOQ7q0GftpBjkEZfQQPlGinjqZ
                                                                    MD5:F42A84D78A5A15FF1A4DBAC591E95783
                                                                    SHA1:1CD5B5E68FD729BDD340463B53728634D342B0CD
                                                                    SHA-256:F60267CAB87DFC1ACCF912C212186112ABA38742F621549D6BC8D67E217E7234
                                                                    SHA-512:89BA6571DF642DBAC769C72914B30F2D27107F023A9E1CBB0C6F5412B6A69D414CD99F29DE07D06592C7AB9CDFC558F3B65B7050921BD442C01417BAC0A850F0
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0.......+....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-interlocked-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18624
                                                                    Entropy (8bit):7.007606219977555
                                                                    Encrypted:false
                                                                    SSDEEP:192:KWuufhWr3ivT16uDBks/nGfe4pBjSbKUs8WebtuVaVWQ4mWMoTqnajPf33PLlYoS:KW5hWmvT1Nq0GftpBjGzZv4ljZYsqHh
                                                                    MD5:9F286E57E5B1C1A347ADF9EEF059AD5D
                                                                    SHA1:631AA1AA364234ACC5AD20B27F926E9CB9EE4276
                                                                    SHA-256:F93DDEF4AC14EF778790F3F00057AB6CAFC0C99DFF52CC24F523D63917719970
                                                                    SHA-512:6DF20707CCDA0CF9916B7C00B11A4A82B47A0F6E87C6EBA0F38E440E143B4AA6E5B48F67D09A9EEEF75DA2AADFBB5ABC7E62362F50D674BB8A532E290699A197
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0............`.........................................@................ ...................<..............8............................................................................rdata..l...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19136
                                                                    Entropy (8bit):7.02924787728422
                                                                    Encrypted:false
                                                                    SSDEEP:384:rvuBL3BEW5hWh3rq0GftpBjzkZalBLc2V:aBL3Brii2sV
                                                                    MD5:BEAAE8294DB31AFA04FA60795C6E02AE
                                                                    SHA1:8A32EBD843E461864747FE0AEBF4BBF83C4EC093
                                                                    SHA-256:F8E8D85035BCB478CE2AB47A6476A8C756A7C8FA05BAD66B9A03ECE6A2CED141
                                                                    SHA-512:DD1A75943401AE5D20C9EE023BA77000DB9433A643EC2F102CD3A72FAF274DEB3611954557C81120D81FF447F86B7309CEC1C9005AB37ED7BB48D6E6C239B135
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0......@/....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-localization-l1-2-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):21184
                                                                    Entropy (8bit):6.992687289280088
                                                                    Encrypted:false
                                                                    SSDEEP:384:ptAuOMw3zdp3bwjGjue9/0jCRrndbAW5hWA80aq0GftpBjV+ZZrmlGinjQKKX:DAuOMwBprwjGjue9/0jCRrndbX4i3qdT
                                                                    MD5:2AC1289E4DBAB076B332869BEF26D3CE
                                                                    SHA1:60570DDD06B671E26C6A814B9C08CDFA0EF38ABA
                                                                    SHA-256:6475F20F46814D28845C2FA73E9C283A8504483FA16D911325588C778CF76C26
                                                                    SHA-512:E226FB4739D66E2C4624A9E01EC00DBE3B37DC96995EEC35660208D76A9E6758A2A29BE1B7986D14074DF23EA0FC39D2CE121B7BD32C553371C1B15FF3E2EF7A
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0......p.....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-memory-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19136
                                                                    Entropy (8bit):7.001597753063372
                                                                    Encrypted:false
                                                                    SSDEEP:192:zQWuufhWrixf/0uDBks/nGfe4pBjSbl7Y88WebtuVaVWQ4mWyymqnajiG7AzTvfJ:zQW5hWS3rq0GftpBj9jZlymlO62vfGkb
                                                                    MD5:A2661A468BB87EE9CC5DEE968FD3805C
                                                                    SHA1:9B17FBD552E34888F1453F9113FF4C42EFAF6D6A
                                                                    SHA-256:DC41DA54E717AEF60228EE11D10669C31D3DDD532EEE9ECAD944C09B71B762DD
                                                                    SHA-512:B5C01CB3C991FCF8945C764B853F8A32FCE324F01562107E086DD998A1B31F9285A0D645C96052B94C955F3626691C3CA2CC9E04D8594A0A7C042530549F1AA3
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0............`.........................................@...l............ ...................<..............8............................................................................rdata..L...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18624
                                                                    Entropy (8bit):7.057051443495707
                                                                    Encrypted:false
                                                                    SSDEEP:192:1cIWuufhW3bFO0ruDBks/nGfe4pBjS7irpMk8WebtuVaVWQ4eW5eqnajy3Snk0b7:CIW5hWL80aq0GftpBjNUZkelGinjn
                                                                    MD5:ACBFC011D5842BA60C372BA3D222AB70
                                                                    SHA1:16B8014060A04BB03215F6CE4C118BAE48653BD5
                                                                    SHA-256:B0AE48EB5FF51FA038E1ED23C7C48D266C20C2AF3F9907EE6906BB0346DF7F9E
                                                                    SHA-512:DCE34D64E6674B67C7C6E7C34886C1EDE2967E6AF7CFE2ADDFE51FCF70780A33D7308E7CE81A80149034B8F910C045B3EA81F458D9227448FC4B339DC05A59D3
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0.......{....`.........................................@................ ...................<..............8............................................................................rdata..x...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19648
                                                                    Entropy (8bit):6.966124928373776
                                                                    Encrypted:false
                                                                    SSDEEP:192:AlWuufhWrExQmLuDBks/nGfe4pBjSbYsqwZ+8WebtuVaVWQ4mWXqnajnp+MVQ/Tz:AlW5hWaQ7q0GftpBj5VghZoldBQ7Q8PX
                                                                    MD5:19D14D348AC38737431A7EE2F82973E6
                                                                    SHA1:11CD8F5DC5C08D133B9B006DA5C84946F012CBB6
                                                                    SHA-256:1CD9CFF9F7D24B22993A207CB81F15CE2792FA5F941E77E8280DB00DB6A273AE
                                                                    SHA-512:B3BF7426150BF3B933DB4670DB3B7D22530C7087EFEEAB0DDACFBB0BFFC01AABDAC68E535C7298B13A42530A1AAB2340203874B5382581F59309EC9465F6A0CC
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0............`.........................................@...H............ ...................<..............8............................................................................rdata..4...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):20672
                                                                    Entropy (8bit):6.996260184407903
                                                                    Encrypted:false
                                                                    SSDEEP:384:ik1JzNcKSIUW5hWP80aq0GftpBjMJZCZslGinjI:9cKSupiEgZ40
                                                                    MD5:EA0E13FEAC13DC18C79EB682BEF4676E
                                                                    SHA1:B9DB47624345C68CF07BD2677DF537E0F975CAF9
                                                                    SHA-256:2658242CCD090181ED944F682C435E5FB880F3B21D1811D43B93478901D701B0
                                                                    SHA-512:540B9F8B18D42E551F13DE3D4A6F0F821EA23E4C85A6346B84E8B74D02CFB5413355D126913699208FAEFD67680C52CDF4E6ECD66FC0CB4753EE603FE9763DF7
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0......^Q....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-processthreads-l1-1-1.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19136
                                                                    Entropy (8bit):7.006932109565197
                                                                    Encrypted:false
                                                                    SSDEEP:384:vIDfIenW5hWsvT1Nq0GftpBjeOZLlGinjx:ve2N1vi/l9
                                                                    MD5:1AF2A91DC0A4E48BAB0CA123073ADF30
                                                                    SHA1:CF6625FD31B17D46DD31B16372840C74026D0BA2
                                                                    SHA-256:AE574C9B8A2467C3EE0AC3E862255E93A02627BCE146AD7B720B99905DC224FC
                                                                    SHA-512:45103C51FC655F608E687C8E9DB24C956D12C63B0497CED3817AEE3D9F5FADF0741064CCB49AE71FBF377228AF315C961FA414221731EA4892425ED4939BBF51
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0............`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-profile-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18120
                                                                    Entropy (8bit):7.082899202505806
                                                                    Encrypted:false
                                                                    SSDEEP:384:yW5hWgR80aq0GftpBjHLzZgfhlg+ZmJy:dmi1LzWflu
                                                                    MD5:9B9D1949B75DF171884F6F8CABA7FF59
                                                                    SHA1:411ADF413F53C56488D5CF68E9B4B692889F3C4B
                                                                    SHA-256:CFFB2007C31932B092CDA3A0A39F1CFCC5766B6A1C05E5EAEABC53660CBBE786
                                                                    SHA-512:DD2110A2406E9CF70E26076FF4BC41F5478ECE318AC48E8C7D8101E14C41284DDB2EA305560E1FA27D70925525553969FDCAB243B31C0FB5AC460E1F00DB2B7C
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0.......5....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18624
                                                                    Entropy (8bit):7.076616206377689
                                                                    Encrypted:false
                                                                    SSDEEP:384:HGeVxW5hWEvT1Nq0GftpBjvOZZljZYsqzN:HGeVcF1viJOYnzN
                                                                    MD5:C6E268C877A9BE5B43877308B1231120
                                                                    SHA1:949105C826DEE6A32FE1288285E3E41CB7D04821
                                                                    SHA-256:EAE3CD8747DA3B435846901A1DBE0E430666D3D8D7BA6E54307CFF5D6EE0592F
                                                                    SHA-512:776FE5CC3E5EB7AE9C20E15C6C5BCE20FB2A0E9E81D260A08DC41860B3967C7ABDC3142786421F349EBE9C43A12E261A34E3E176535B8E04545395279C439331
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0......z.....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-string-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18624
                                                                    Entropy (8bit):7.03241655514082
                                                                    Encrypted:false
                                                                    SSDEEP:384:1yMvIW5hWER4Zq0GftpBjpTuZV0lO62vfGU:1yMv/L47i7STVHGU
                                                                    MD5:5122B8AA14A25C8567D9D0335036446F
                                                                    SHA1:81961F2C8A331136F8156930779964A71E0BADC4
                                                                    SHA-256:7B5393E2CB79F0396D5D97510E8F0955A2586AACAF60EB8DE3676006CB81DC5C
                                                                    SHA-512:758FF98F838F3CA03EF6A9E5A0E39732AFED73F4D15DD7D7A1A842C36AD00A859541B4E977AF513DDCF970ED994CC27B11654DDC0F15FFFD83BDBEFF43084CC9
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0......_.....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-synch-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):20672
                                                                    Entropy (8bit):6.940869583416741
                                                                    Encrypted:false
                                                                    SSDEEP:384:pvdv3V0dfpkXc0vVa/W5hWiR4Zq0GftpBjkYZjsdljZYsqmb:ldv3VqpkXc0vVau547iCY6Onc
                                                                    MD5:E1B30D56617709CF7DFF5F464D7566D9
                                                                    SHA1:E29646B1C90550CB86ED42782C764D41F2C70651
                                                                    SHA-256:5D1A854A0C5121E2E8866DAD26545F7F8C2D2F1B15ED7F1ED0B72654A1FC299B
                                                                    SHA-512:E158389A4F71EB94A2E73706F0D52DB91798104D990065029A3745DBC9A0459ED9AE96C78BD005043DE9057BAE66F35A174537C525385ABC8E91DBBF579BA511
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0......gI....`.........................................@...X............ ...................<..............8............................................................................rdata..8...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-synch-l1-2-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19136
                                                                    Entropy (8bit):7.039847498745061
                                                                    Encrypted:false
                                                                    SSDEEP:384:stZ3KW5hW4R4Zq0GftpBjsnTZWFlGinj6m:oX47iiTomm
                                                                    MD5:E4B64B2710725EC3332021BD8044D884
                                                                    SHA1:2D7F8D87D0F395296ECDF277084D23CB9E0880E8
                                                                    SHA-256:9566B81B1C6DB1727A4BB3A7A3DE12247FF5297F34548593280EC31F2B2E2C65
                                                                    SHA-512:AE5570A2CD245588A3F80744C7B1AF99533730EBF8926F51A2CC13004A6EB5ECB501AA8C2906E5FA5DDC5A92FB796D54AF43B3E3FF97CA1CC3D898462BF7E9B2
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0.......r....`.........................................@...x............ ...................<..............8............................................................................rdata..X...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19656
                                                                    Entropy (8bit):6.964000473161312
                                                                    Encrypted:false
                                                                    SSDEEP:384:NzgLW5hWgNvT1Nq0GftpBjVIB6RiNZiVlg+ZmJ:NzgKB1viPbRiNUhu
                                                                    MD5:67FD470A60FE8FB3F9FBE32FA52871D0
                                                                    SHA1:09ABA019A0D0DAE7415B6D9A39E1DC67D93F130B
                                                                    SHA-256:1F98F9E044D32E61445C5FAB3C80C2F37CA6BAB3D5B22CD5611FB5DF73DB04A8
                                                                    SHA-512:F8C3F1E3BEE196487AEC704F128240ACB57FB392DB918A97176793B07726F017177ABBB5A6C68822FC59CE06F04D489A78284A865EFDC2DE518F34ECFB0CC1E6
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0............`.........................................@...H............ ...................<..............8............................................................................rdata..(...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-timezone-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18624
                                                                    Entropy (8bit):7.0713875407767
                                                                    Encrypted:false
                                                                    SSDEEP:192:QNWuufhW+IivT16uDBks/nGfe4pBjSfASU8WebtuVaVWQ42WUqnajnp+MVQ/TQF/:4W5hWGvT1Nq0GftpBjhyZdldBQ7Ql
                                                                    MD5:F53ED8A0C18157B9E37500621DFAB9EE
                                                                    SHA1:B8A3131150CFD46052353309843C802D9F43DF03
                                                                    SHA-256:5909E928D791F67A13E3130033CB0E2178F5167A644C3AB5336322D38356DB47
                                                                    SHA-512:2CC98322E67FF49AACABA0B23FB559A5C4C58182E4F3965673A766D3198A26FCD7C7C340779D9FB0FC3F2649C16427FF312D87CAA1FEADF23DABC6675169416A
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0.......W....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-core-util-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):18624
                                                                    Entropy (8bit):6.994924646549247
                                                                    Encrypted:false
                                                                    SSDEEP:192:GrWuufhWrvFO0ruDBks/nGfe4pBjSb0rjk8WebtuVaVWQ4mWD0qnajiG7AzTvfGC:GrW5hWz80aq0GftpBjjbZS0lO62vfGC
                                                                    MD5:2B9F551CDDD662C618432A75C546B296
                                                                    SHA1:1DDD65FCC8BB401C734EBC2014D057328F771744
                                                                    SHA-256:070AFBDBE5B3F3B76B6B7EA2DBB9F8DEFF81C6EC8706EEF9080671543E2AE28B
                                                                    SHA-512:54DF6E692AC630D969A697C9E6F379C4826CA71B7E8EAEFDF502405B1333A6B483256AEBA609A4A1C61E73F72D2958AAF3EB31538CC5E7A91101D7D09E3ED9DC
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." .........................................................0......{.....`.........................................@...<............ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-conio-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19648
                                                                    Entropy (8bit):6.993345918375787
                                                                    Encrypted:false
                                                                    SSDEEP:192:VyWuufhW+JFO0ruDBks/nGfe4pBjSfG488WebtuVaVWQ42WyWqnqnajjpxf9c9kY:VyW5hWU80aq0GftpBj6ZXlBLcmY
                                                                    MD5:7D943F85FF8D1515A02D202AE79453D3
                                                                    SHA1:94DEF1F7368172AC50B665E74B89E8F7AAE2857B
                                                                    SHA-256:1D4464FE335470452E58D613028DDE2F105EDF969D411E90BA7CA9E343C3FC89
                                                                    SHA-512:E111DBEF97C6C6CB3B5C2D183294620792C48A2CB16D9D91C12CEDE757A1C0C53D707F4294542BEF47EAE784893BF63FE0F0229BED4B2D0A961C8D1CC1CF43CB
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....0oX.........." .........................................................0............`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-convert-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):22720
                                                                    Entropy (8bit):6.839780109999704
                                                                    Encrypted:false
                                                                    SSDEEP:384:vcJ2yyW5hWGQ7q0GftpBjFZ8UOwlGinjP:vQgiviDcj
                                                                    MD5:278857B86F667C47CBCCE94F5EC73CA8
                                                                    SHA1:A0F5B7E7C67F3C6B8F285D39D08B740E49445755
                                                                    SHA-256:91C5966932287078D0E616D8E0369347991F39765749BBFFA1ED3A9DF49776D9
                                                                    SHA-512:EBC02D1A2E223EB0B30A8E62089735FAED83ADD4161094493F62561A09C13A426815E7F06C20C44477691109A8C3040DC68527023BFEE6D9984C42D6A05208C9
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....1oX.........." .........................................................@......T.....`.........................................@................0...................<..............8............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-environment-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19136
                                                                    Entropy (8bit):6.972306280884879
                                                                    Encrypted:false
                                                                    SSDEEP:192:45oWuufhW3dxQmLuDBks/nGfe4pBjS7Ji8WebtuVaVWQ4eWbj8qnajy3Snk0T:4GW5hW/Q7q0GftpBjmZ08lGinjT
                                                                    MD5:6493B21FEFAE874655C62A56A156F3EB
                                                                    SHA1:C65BEB46F9F03D35867FF008026D3A56FA26FB65
                                                                    SHA-256:8D9D3E905D072C4465E4787DD5BD843D3A5DD5AC5AD9D7F232032B25FACC82AB
                                                                    SHA-512:93CBE187F7FA86AC58191B5384A993135E3291873A76CC2CF81DD60C68AD7591386E4EB5AB53AAAC2A6F48F7F778263B7FA0A4EA0863361910A9F1EFEE92B64B
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....0oX.........." .........................................................0.......Q....`.........................................@...$............ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):20672
                                                                    Entropy (8bit):6.983745693486736
                                                                    Encrypted:false
                                                                    SSDEEP:384:gTnWm5CoW5hWSvT1Nq0GftpBjMkZaA0l3uzJ:gTnWm5Cfz1vijj/l
                                                                    MD5:AE83311041EE793253FF10736317A09E
                                                                    SHA1:C62D06CB6CBD9D997C42A6AD7F13C06F38725069
                                                                    SHA-256:8F9361D02F68392127FE264655EAC4FEF4A4A1BF63571F184CE26FAA98670702
                                                                    SHA-512:0FABCB0370330460F8F525401F339535C08D768F075816989A16EFF2256584CFA8FD6832DF3CE3D9C2A5364B4EF58BFFF53CC486E3B48D11B654F7174AA18458
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....0oX.........." .........................................................0......^Y....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-heap-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19136
                                                                    Entropy (8bit):7.055104319469149
                                                                    Encrypted:false
                                                                    SSDEEP:192:QwY17aFBR7WuufhWrtQR4+uDBks/nGfe4pBjSb0NW8WebtuVaVWQ4mWMUVqnaj8F:QpWW5hWyR4Zq0GftpBjhNJZYldr8
                                                                    MD5:12311308D7D65895B3920B3DD3E54B3B
                                                                    SHA1:3FAA74C6913F451D9C575761630B507AF0C15EE3
                                                                    SHA-256:76DAD3E04C9FF61B40AE1C9E039837CD1C077D59B6A008643E4FBF2DBDB564DC
                                                                    SHA-512:67FD047E760DBDADB06CC2C34B935FDABC629FA988484A9F5120CD59D6167D943B612DF65626701022B5E73C5B1177A8D813E90C5990468F51A5A11932C008ED
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....1oX.........." .........................................................0............`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-locale-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19136
                                                                    Entropy (8bit):7.03086193071833
                                                                    Encrypted:false
                                                                    SSDEEP:192:QPqWuufhWrHxQmLuDBks/nGfe4pBjSbZjk8WebtuVaVWQ4mWK8MVqnaj87X/fACD:rW5hWdQ7q0GftpBjWjbZZldr63
                                                                    MD5:3DAFCF25A2AC1BECF40ACBEC8FC7134B
                                                                    SHA1:0729FDC617403622C2EDD77FDB7DD49B530E2037
                                                                    SHA-256:BA1458F730FF90009483C763926D1C74383480E529541C0EF5D4DE44E7A4F14C
                                                                    SHA-512:9DBB487489C8A6AF8DBD6326FE4958F489552AF268F2937495ADA35BB8404CFAEAF54833D8BBA2966E72CD0BA3284A5FD167BAF4CD6D905870F5D1ED3E5FF6C0
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....0oX.........." .........................................................0............`.........................................@...h............ ...................<..............8............................................................................rdata..H...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-math-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):27840
                                                                    Entropy (8bit):6.625847560185786
                                                                    Encrypted:false
                                                                    SSDEEP:384:77FRU8HM4Oe59Ckb1hgmLydW5hWjQ7q0GftpBjASZLN8ldBQ7Qa:77TjMq59Bb1jyYPiyS8Q/
                                                                    MD5:F32BD567D35D2E85504C39DEDE609E72
                                                                    SHA1:B7A7145956466E45BBE6F7FE41E935A152C2C325
                                                                    SHA-256:5F2BB085217304006C81C55214C6093EC476E554E31808026E424DA82F58AA0E
                                                                    SHA-512:55396F3E5821D3F3EB5988BD3362A0CDDF036DE4AFA8CC1214813834B5A152FC3DF787A8347A7AFF3DE6BF112E1D2A354790F593854A59F1F49393DDF967D085
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....0oX.........." .........,...............................................P.......v....`.........................................@....%...........@...............0...<..............8............................................................................rdata..x&.......(..................@..@.rsrc........@.......,..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-multibyte-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):26304
                                                                    Entropy (8bit):6.709115397655558
                                                                    Encrypted:false
                                                                    SSDEEP:384:YbmLPmIHJI6/CpG3t2G3t4odXLBdW5hWYR4Zq0GftpBj2q8ZWlGinjge:PPmIHJI6PY/47iok1
                                                                    MD5:56C02FABC2C64174009C905570C3A22D
                                                                    SHA1:E52154112AD127AB01937453490091DEF4D21AD2
                                                                    SHA-256:0AA2CF2CC029C95FC053374071D7873EDDDC410FF8858720EE5C29BFEE62DDDC
                                                                    SHA-512:9F22F70B5DE4078FCBFDBB186D6CF220561200092EB7CEAAAD9D44A5281F84ABFB1729F4E447DAB3753225D5FC6C44D94363E3729E5765DD2213213C327C4C1B
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....0oX.........." .........&...............................................P......?.....`.........................................@.... ...........@...............*...<..............8............................................................................rdata...!......."..................@..@.rsrc........@.......&..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-private-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):70848
                                                                    Entropy (8bit):5.850762261683125
                                                                    Encrypted:false
                                                                    SSDEEP:1536:ccXDvBRh1De5c4bFe2JyhcvxXWpD7d3334BkZn+PAc5ed:cczDh1De5c4bFe2JyhcvxXWpD7d3334+
                                                                    MD5:4B27CF5CDB20AEBF113DF752019FFCA3
                                                                    SHA1:B02C6E45F704DAC118F81C324122C189E3E61E17
                                                                    SHA-256:C1E206AA4C8014DCFDAD15C16F50FBF4E3CE8E76E9406AF923131EBC001DD5AC
                                                                    SHA-512:CD4DF2478D719E159E2252E6784D24E4260C13D8F47774AC33A8E10B1FA96D38236BF2C3EBC060A5801FC19392CBE5C636BEFA898721BF114956C2BE6476BBD1
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." ................................................................D.....`.........................................@....................................<..............8............................................................................rdata..............................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-process-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19648
                                                                    Entropy (8bit):6.96817123674001
                                                                    Encrypted:false
                                                                    SSDEEP:384:BpOSA1W5hWk80aq0GftpBjy11Z+lTMs6WbL9J:vlkiM+TFJ
                                                                    MD5:FA677CFB18BA1370D8BB98681C48CFBD
                                                                    SHA1:CBCCD561BF53C59254FB04AB136996B81CC80D3A
                                                                    SHA-256:36589E9738A9358065D5A72F4276505D6C2F78101508BEDE05BDCCEEA46A8CD8
                                                                    SHA-512:9312ACD4955D4950D851910198D4EE622B75E11262E409C79391078D12D2D0DB320723A1552048ACC0E9DEB30378E3CD27D4FABCF2077D429EEDFB275CDB73E3
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....1oX.........." .........................................................0...........`.........................................@...x............ ...................<..............8............................................................................rdata..X...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-runtime-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):23232
                                                                    Entropy (8bit):6.836841538108079
                                                                    Encrypted:false
                                                                    SSDEEP:384:ETr7ZW5hWgvT1Nq0GftpBjqZaljZYsqn3:2r7Ep1viwLn3
                                                                    MD5:595A997BD415C8AE0EF1E3C3B73E6091
                                                                    SHA1:10F34BC2F474A43BFAAC26F66EC8081106C12253
                                                                    SHA-256:11ACA97ACDA31203AEEE496C9F183B49DB1C54D0EFA48888A15AB4EA47EE080F
                                                                    SHA-512:944F6BC405C69D6BF6DC97652E9F296658BD3DE078DDA50AC680E56818C00DFEE909B100FC2FA9C6A891C55DBC66DD62AC52819950732C83198DBB8C04F3C9B8
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....0oX.........." .........................................................@............`.........................................@...4............0...................<..............8............................................................................rdata..............................@..@.rsrc........0......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-stdio-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):24768
                                                                    Entropy (8bit):6.7900099040686195
                                                                    Encrypted:false
                                                                    SSDEEP:384:xHCFVh/W5hWOQ7q0GftpBjDdZNil78oStBdo6:xHCwgiT7Aa3db
                                                                    MD5:415D765AA267382A79E56E428C80B1E1
                                                                    SHA1:1BF13460B8AAAC1538BF45186A1624825BB8C355
                                                                    SHA-256:CF7BBE93AE75A1C46A38204A6ACEF71BF2F5E3CD34501825601900E07D3D7B15
                                                                    SHA-512:7236EF7B2937718409EF4EEDA20318B1697E7C1C868D0DF263F4BE8673365D48FF6FFA2317BFD1881B6CB3DD1300410AD4F715B8E01ED321C4011AAC88490D21
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....*oX.........." ......... ...............................................@............`.........................................@...d............0...............$...<..............8............................................................................rdata..@...........................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-string-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):24768
                                                                    Entropy (8bit):6.781178151043533
                                                                    Encrypted:false
                                                                    SSDEEP:768:Yl5yguNvZ5VQgx3SbwA71IkFMLirA8Fma3dnL:Yl5yguNvZ5VQgx3SbwA71IvL2maNnL
                                                                    MD5:5BD5A9001CB0555C5B2B14E0CBC8D922
                                                                    SHA1:4562D23FBA312FE95CBC777FD7C2E37CA1E76AD9
                                                                    SHA-256:B516D1772B75714F039440CF5D070B87A187D2F67B7F891C94CF1C60330FBFA7
                                                                    SHA-512:A6271F28F069A00C2912F80552BD54BF0D8461886ADFF626B336D25943DD0ADE19EB88C718602017A1986317AF3EB5F94F8896E88B9367207E8B53225322CB84
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d...$1oX.........." ......... ...............................................@............`.........................................@................0...............$...<..............8............................................................................rdata..............................@..@.rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-time-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):21184
                                                                    Entropy (8bit):6.917358051165061
                                                                    Encrypted:false
                                                                    SSDEEP:192:N3LD3WuufhWrzGxf/0uDBks/nGfe4pBjSbA097b8WebtuVaVWQ4mWmVeqnajiPNg:N3W5hWq3rq0GftpBjr0974ZVelg+ZmJ4
                                                                    MD5:F719AD4C04043F55A21E73805997B287
                                                                    SHA1:0E88B1271B242F7933E78EDCB05131612CEA061E
                                                                    SHA-256:A4B0F75854949980D410C5DA90C36DDB94BE292431C89FD3E992F9D5F8EE9983
                                                                    SHA-512:752B9B4385162126729C3F09B3B75D7121C8DEC00CCE11F7CF1ECAFFED3E79ADDCBCFE8BDD4E20E15B8494BFE2D24C3F2D11583860B1E03BE021196BC83FC3BF
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d...!1oX.........." .........................................................0......}.....`.........................................@................ ...................<..............8............................................................................rdata..............................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\api-ms-win-crt-utility-l1-1-0.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):19136
                                                                    Entropy (8bit):7.025468971894698
                                                                    Encrypted:false
                                                                    SSDEEP:384:IbNfmW5hWBTMq0GftpBjZtwZkilTMs6Wba:WfBYuieGQTe
                                                                    MD5:A405399D5B958A03E6054307A631553A
                                                                    SHA1:DBA43F0AFD8C6E1F61CF0BE7503C6F70B48B8240
                                                                    SHA-256:D675EE0C418C4CD7FF0C19C2D945331C8E6072A51ABBCA548E7D9D2F1BF288DD
                                                                    SHA-512:33C64766053058FA9FA4FE689F1CA5A345B8B70443995D71AA65B64C7BB38D4DC3A2B37AD06A4CE5CA1C927ED9EA4377443EAAECC69B0E758FF265E755194287
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.d.c.d.c.d...d.b.d...`.a.d.....b.d...f.b.d.Richc.d.................PE..d....0oX.........." .........................................................0.......D....`.........................................@...`............ ...................<..............8............................................................................rdata..@...........................@..@.rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\avcodec-58.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):5049448
                                                                    Entropy (8bit):6.653263673432352
                                                                    Encrypted:false
                                                                    SSDEEP:49152:FozhhbDsVRBoxvNHOTQZpPzLC36gReZjDQuoku7qc9pjjP7btX+7zkObpbsDYpXd:vZReZ6rspYDSX+1B/KQVENVjCAzb
                                                                    MD5:BA33896F7BB11B42F4A6E38A70932A98
                                                                    SHA1:597D5465F34E70B4FA635EA9555D7ACE6A2E7C1D
                                                                    SHA-256:C9C1592372D39A010EF1BDE1C970C84FE2989EA36EB2489A7551F4A2FC3730D3
                                                                    SHA-512:2FC275541B6589636DABE5989E34636DA8C2BB9B9512BB45D0814A48825AF5E3271BDF799D61FE84483E5A5820B5EDA98F0F0D2FDFEEC25C304F81DF0DFF8046
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............@...@...@.....@...A...@.Jy....@...E...@...D...@...C...@...D...@...A...@.O.A...@...A...@...@...@.O.D...@.O.@...@.O.B...@.Rich..@.........................PE..d...`.4`.........." ......?.."E.......?..............................................CM...`A........................................pWJ......sJ.......................L.hf.......1..0.I.T.............................I...............?..............................text.....?.......?................. ..`.rdata........?.......?.............@..@.data... .8...J.......J.............@....pdata...............pK.............@..@.reloc...1.......2...tL.............@..B........................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\avformat-58.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):655360
                                                                    Entropy (8bit):6.275909345727414
                                                                    Encrypted:false
                                                                    SSDEEP:12288:w4j7CG2ReeC4YYm9KeP6CcaqrTX930eGNsaseJJV9999NqhZMF7:KG2ReS88gyaetveJJV9999x
                                                                    MD5:9ED6B5DC835087ED146F532F543B6B77
                                                                    SHA1:5FBAE3F7101C24EF2A48C97D9998C9A4C33D90E0
                                                                    SHA-256:2699953D2308E4E83AA641F034AD2301D80C2EB3CD696B267395C78875C1BCDE
                                                                    SHA-512:CEE3BAC7667F1DAF485517FC585ED4535D8CD727F276A9D598C426822D3690B79CD8638FA3FBB24B181D70C73C9A4C1C7E751FD70D3889A4306AA0B6245A0EA9
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........M...M...M...D...Y.......O....[Y.K.......A.......E.......N...(...K......H...M..........*......L......L...RichM...........PE..d...k.4`.........." .....r...........w.......................................P............`A.........................................b.......v..T...............t1...........0......0...T...............................................H............................text...Sq.......r.................. ..`.rdata...............v..............@..@.data...h7.......2..................@....pdata..t1.......2..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\avutil-56.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):391272
                                                                    Entropy (8bit):6.515217034341698
                                                                    Encrypted:false
                                                                    SSDEEP:6144:aMeKbE0MXG2WUHFkWXjLIXzwDdIRV2T9Mj9uH9951IHhZ8kCyYQix2rAwpcI:WKbznQHFDPqVjJugixyH
                                                                    MD5:EBE64CD6BF7F56655D7812EB73D0CD91
                                                                    SHA1:6448689C4D29821A83AC281F5841CF804765133F
                                                                    SHA-256:FD1E8C7F3284C9334E64B86179FC0492364EBFDD4CCE68E936EB8A77AE4B7761
                                                                    SHA-512:307757BF62AB4E5CE972F35B2FC12825C133E8B9D966BF00B05FFD3F1FF8AA87415C86294B4F17219142DDEFCDC0BB9027E98320F96DD9936C76E3BAD580E291
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|...8~.M8~.M8~.M1.kM,~.Mj..L:~.M..?M<~.Mj..L4~.Mj..L0~.Mj..L;~.M]..L?~.M8~.M.~.M8~.M>~.M...Lk~.M...L9~.M...L9~.MRich8~.M........PE..d...Z.4`.........." .....j...."..... o.......................................@&.....&.....`A........................................0 ..D>..t^..,.............&.."......hf...0&.........T........................... ................................................text...Si.......j.................. ..`.rdata...............n..............@..@.data...H. ..p.......^..............@....pdata..."....&..$...d..............@..@.reloc.......0&.....................@..B........................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\bearer\qgenericbearer.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):53232
                                                                    Entropy (8bit):6.034840031343294
                                                                    Encrypted:false
                                                                    SSDEEP:768:/tgBFsai018AC7lelntxqh2L58IwggqXnuWjim1o7tFu9eibNWdDGtUf2hR:1uFsai5le9uh2LmwgqQ76tbNWkUfe
                                                                    MD5:14D67B1249A52090A8D3EDCA9FDCC262
                                                                    SHA1:25854E05F742EC256D438537E32E3C4D4EDEB020
                                                                    SHA-256:0534CEF5F54EB6D10B2E90BD6089DC413C555771E12220BE9A5CC48ADDDC803D
                                                                    SHA-512:7E147968B23396C9CEE076E570E9339242C2E594D42D9CBBCB19D3D664635AE84A3E73DDF9ECE59ABDCE5E02B6EDD3521E9685D93EB987BACFDCD2B9C09A2C7A
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................{.....................................W..................`...W.......W.......W.......W.......Rich............................PE..d...`._.........." .....P...f......PU...............................................e....`............................................|...L...........P.......................h...hu..T....................v..(....u..0............`...............................text....O.......P.................. ..`.rdata...K...`...L...T..............@..@.data...............................@....pdata..............................@..@.qtmetadj...........................@..P.rsrc...P...........................@..@.reloc..h...........................@..B........................................................................................................................................................................................

                                                                    C:\Program Files\douwan\concrt140.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):315784
                                                                    Entropy (8bit):6.2803385461310235
                                                                    Encrypted:false
                                                                    SSDEEP:6144:aINDWSs7LnKn26xdTY/H4y5a6lDgl/O1aYUMnWzgcQ6JJ:johKnfY/4kajz
                                                                    MD5:C4FE3F03EFD3188252CAA101F954FFEB
                                                                    SHA1:98B613AEE45C71AED9D2BE0D61D7ACE323929E9C
                                                                    SHA-256:95BB425BE3D515A6A58F7399D44DD9E032BAEA11667DFDBA29517C460171880A
                                                                    SHA-512:80018E0BDDF079367D3568433A5F89F0144AA0A75286B0105FE32AEEB5D80876C9B2E1ECAAFB70FB041271E27A234A2CB88A2D3D160A4AA3768CCFCFC574704A
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S].Y.<...<...<...L...<...DR..<..EI...<...<...<..EI...<..EI...<..EI..C<..EI...<..EI>..<..EI...<..Rich.<..................PE..d....(.`.........." ......................................................................`A.............................................M...+...................6.......#......p....4..T...........................p4..8............................................text...\........................... ..`.rdata...M.......N..................@..@.data....?...@...8..................@....pdata...6.......8...f..............@..@.rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\d3dcompiler_47.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):4891080
                                                                    Entropy (8bit):6.392150637672776
                                                                    Encrypted:false
                                                                    SSDEEP:49152:IuhjwXkKcimPVqB4faGCMhGNYYpQVTxx6k/ftO4w6FXKpOD21pLeXvZCoFwI8ccA:oy904wYbZCoOI85oyI
                                                                    MD5:CB9807F6CF55AD799E920B7E0F97DF99
                                                                    SHA1:BB76012DED5ACD103ADAD49436612D073D159B29
                                                                    SHA-256:5653BC7B0E2701561464EF36602FF6171C96BFFE96E4C3597359CD7ADDCBA88A
                                                                    SHA-512:F7C65BAE4EDE13616330AE46A197EBAD106920DCE6A31FD5A658DA29ED1473234CA9E2B39CC9833FF903FB6B52FF19E39E6397FAC02F005823ED366CA7A34F62
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........c...c...c..Z....c...c../c....7..c.......c.......c..Z....c..Z...bc..Z....c..Z....c..Z...6c..Z.[..c..Z....c..Rich.c..................PE..d...-L............" ......8.........`.(...................................... K.....2.J...`A..........................................F.x.....F.P.....J.@.....H.......J..!....J......vD.p.....................<.(...P.<.8.............<.(............................text.....8.......8................. ..`.rdata...=....8..@....8.............@..@.data...@.....F.......F.............@....pdata........H.......G.............@..@.rsrc...@.....J.......I.............@..@.reloc........J.......I.............@..B........................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\d3dx9_43.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):2401112
                                                                    Entropy (8bit):6.538294475491196
                                                                    Encrypted:false
                                                                    SSDEEP:49152:dbCJsk4VlPXA+15Om5wxw9Qsi55K+31BhZ64nW:YIIBnW
                                                                    MD5:7160FC226391C0B50C85571FA1A546E5
                                                                    SHA1:2BF450850A522A09E8D1CE0F1E443D86D934F4AD
                                                                    SHA-256:84B900DBD7FA978D6E0CAEE26FC54F2F61D92C9C75D10B35F00E3E82CD1D67B4
                                                                    SHA-512:DFAB0EAAB8C40FB80369E150CD36FF2224F3A6BAF713044F47182961CD501FE4222007F9A93753AC757F64513C707C68A5CF4AE914E23FECAA4656A68DF8349B
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,.m.h...h...h.......y...h...........a.......l.......T.......i...........O.}.i.......i.......i...Richh...........PE..d...F..K.........." ......"..&.......]!......................................0&.....v.%...@...........................................".&,....".d.....%......@%.......$.X.....%......)..................................................`............................text....."......."................. ..`.data....Q....".......".............@....pdata.......@%.......#.............@..@.rsrc.........%......T$.............@..@.reloc..b3....%..4...X$.............@..B........................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\dashboard\dashboard.css

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):3356
                                                                    Entropy (8bit):5.0135860014375
                                                                    Encrypted:false
                                                                    SSDEEP:96:DcGykl+nZnIyEB7aZ8C/8vBWkmGw+N2+y/:Ll+Zvy9vBWLGw+A+y/
                                                                    MD5:20E1C84A50A3488683284CD95DCA2B80
                                                                    SHA1:0F302CEFB5924B960B25BF10D70D388429DF49A8
                                                                    SHA-256:195C908E5C1A5768E9503E226784DBBE900C321C6469C7916CE86FDC5A0E4B45
                                                                    SHA-512:79532DE6B194E56A179D32D2E63DBD245F8CFF40B5CDE7A08DDC1AB6FC6368BE4296D2E564596313F6533006E3435A9AC8F5E02347FB182E4663582215420BCE
                                                                    Malicious:false
                                                                    Preview:.layui-tree-txt {.. color: #fff;..}.....layui-tree-entry:hover {.. background-color: #333;..}.....layui-tree-icon .layui-icon {.. color: #fff;..}.....layui-form-item {.. margin: 0;.. color: #fff;..}...layui-form-item .layui-form-checkbox[lay-skin=primary] {.. margin: 0;..}.....layui-form-checkbox[lay-skin=primary] > i {.. background-color: transparent;..}.....layui-form-checkbox[lay-skin=primary] > div {.. color: #fff;..}.....layui-nav {.. height: 44px;.. border-radius: 0;..}...layui-nav .layui-nav-item {.. line-height: 44px;..}...layui-nav .layui-nav-child {.. top: 46px;..}.....dw-dashboard {.. box-sizing: border-box;.. min-width: 1024px;.. height: 100%;.. display: flex;.. background: #333;.. border: 1px solid #ccc;.. padding: 6px;..}...dw-dashboard .leftpanel,...dw-dashboard .rightpanel {.. display: flex;.. flex-direction: column;.. height: 100%;..}...dw-dashboard .leftpanel {.. width: 400px;..}...dw-dashboard .rightpanel {.. flex-grow: 1;..}...dw-dashboard .g

                                                                    C:\Program Files\douwan\dashboard\dashboard.html

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):3448
                                                                    Entropy (8bit):4.965439700535351
                                                                    Encrypted:false
                                                                    SSDEEP:96:mphaRQlF1V9PT8BDldZlOLP/LnqKs1qPTY:mphaRKfV9PT81ldZlOLH7qKs1qPTY
                                                                    MD5:F41DE93C99139CC40C3FEFCFF270A5DF
                                                                    SHA1:1EFEEB43EB2039E5002F2EA04F4B141304A8EAB9
                                                                    SHA-256:DE20648118E0FB31B944685FEBC68A5C8B7CBB8D25030172F6C81DD886C7AFB9
                                                                    SHA-512:7F1AD60F80C78DC9A1E64BCB4CEFB4913E12721A933E5FA1392A2191EE28659CA0224EF03572FC28E04CA1A535158756E204C9C1773DAF9911AAEFBF1FDA0B86
                                                                    Malicious:false
                                                                    Preview:<html>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<link href="https://cdn.staticfile.org/layui/2.8.11/css/layui.min.css" rel="stylesheet">..<script type="module" src="https://cdn.staticfile.org/layui/2.8.11/layui.js"></script>..<script src="https://cdn.staticfile.org/axios/1.4.0/axios.min.js"></script>..<link href="./dashboard.css" rel="stylesheet">..<script type="module" src="./js/app.min.js"></script>....<body>.. <ul class="layui-nav layui-form" lay-filter="dashboard-nav">.. <div class="layui-inline" style="display: inline-flex;align-items: center;">.. <select id="grpSelector" lay-filter="select-group">.. <option value="">.....</option>.. </select>.. </div>.. <li class="layui-nav-item">.. <a href="javascript:;">....</a>.. <dl class="layui-nav-child">.. <dd><a href="javascript:;" data-baritem="grpNew">..</a></dd>.. <dd><a hre

                                                                    C:\Program Files\douwan\dashboard\icon\details.svg

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:SVG Scalable Vector Graphics image
                                                                    Category:dropped
                                                                    Size (bytes):1201
                                                                    Entropy (8bit):4.792291750232052
                                                                    Encrypted:false
                                                                    SSDEEP:24:qexyKXGqW8RwdNPQ3p4EZ/MR2vfR4Wd0ZkrGFo:LdXGqrwTQ3p4dR2vfzd0ZkrGS
                                                                    MD5:0EA9E817FE607AD65BF58EBEC8CE27C5
                                                                    SHA1:9D820577FF8FDD7D4783C70F00564A8256F7D4AE
                                                                    SHA-256:CB99B5F1776FAFAE3367617DFB829BEA92FF189B308AA32E27CDE873E4716C26
                                                                    SHA-512:B47E6F1FE032DB2CC9850136B42D4F71857E1AD5A04E78DC29B871FB45793187F2FEDFCBA000EBE446CB4E16032F6E42CCAE4FD4F8B6DDC4B6AA03F95F9842D5
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg t="1688027695947" class="icon" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg" p-id="13587" width="20" height="20" fill="#fff" xmlns:xlink="http://www.w3.org/1999/xlink"><path d="M927.171186 66.020646 94.780155 66.020646c-16.415878 0-29.728068 13.311167-29.728068 29.728068l0 416.196027 59.45716 0L124.509247 125.477806l772.933871 0 0 772.938987L510.976182 898.416793l0 59.45716 416.195004 0c16.416901 0 29.729092-13.310144 29.729092-29.729092L956.900278 95.748714C956.899254 79.331813 943.588087 66.020646 927.171186 66.020646L927.171186 66.020646zM65.051063 957.873953l356.73682 0L421.787884 601.13611 65.051063 601.13611 65.051063 957.873953 65.051063 957.873953zM124.508223 660.59327l237.8225 0 0 237.823524L124.508223 898.416793 124.508223 660.59327 124.508223 660.59327zM778.532891 452.487581l59.453067 0L837.985958 184.934966 57

                                                                    C:\Program Files\douwan\dashboard\icon\edit.svg

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:SVG Scalable Vector Graphics image
                                                                    Category:dropped
                                                                    Size (bytes):833
                                                                    Entropy (8bit):5.116812673548608
                                                                    Encrypted:false
                                                                    SSDEEP:12:TMbeIMu5E4B9qWGRRHHGdlYr4zJ2damR+fZTkt8K+HBae/36OgQJEHTdufcW8KB0:qexkqW8GdCMir8FKOgQOzduf/8e0
                                                                    MD5:182089AA7C312430F3511B96D493227B
                                                                    SHA1:4098CFA18795C88BC8C99B7C426788610D4A601B
                                                                    SHA-256:4C52204707144681A71E569F7C2F7E210636AD46AF1C82318674FA499889C0E0
                                                                    SHA-512:6CE1E07F6BF144EFA40EE43053150BEB58E5545FC4F0E40E29F31DEAF87A37867D782A2F6F92BA2C17DDD9464ABA6A35AB916C151622214F12548BE51C858DB4
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg t="1689330829427" class="icon" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg" p-id="8783" width="20" height="20" xmlns:xlink="http://www.w3.org/1999/xlink"><path d="M928 365.664a32 32 0 0 0-32 32V864a32 32 0 0 1-32 32H160a32 32 0 0 1-32-32V160a32 32 0 0 1 32-32h429.6a32 32 0 0 0 0-64H160a96 96 0 0 0-96 96v704a96 96 0 0 0 96 96h704a96 96 0 0 0 96-96V397.664a32 32 0 0 0-32-32z" fill="#ffffff" p-id="8784"></path><path d="M231.616 696.416a38.4 38.4 0 0 0 44.256 53.792l148-38.368L950.496 185.248 814.72 49.472 290.432 573.76l-58.816 122.656z m111.808-85.12L814.72 140l45.248 45.248-468.992 468.992-77.824 20.16 30.272-63.104z" fill="#ffffff" p-id="8785"></path></svg>

                                                                    C:\Program Files\douwan\dashboard\icon\group.svg

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:SVG Scalable Vector Graphics image
                                                                    Category:dropped
                                                                    Size (bytes):637
                                                                    Entropy (8bit):5.365630760250825
                                                                    Encrypted:false
                                                                    SSDEEP:12:TMbeIMu5E4BXqWGRRHnidlYr4nsthVsF8s8B902O8s8BWP1HD8s8BE88sz:qexiqW8HidCsstO8sm02O8sxND8sT88e
                                                                    MD5:AD17E910F53B6AB941C01C3D0E357BCF
                                                                    SHA1:8577D20DC7EA7B5EDB3FA1137B14ACC9DA779B85
                                                                    SHA-256:B83BF7D072373B85A4BF2B07D70DAC9007F0A098BA1995CA85D07F0920FECC3B
                                                                    SHA-512:AEAA9DD29833ABF44DC5922B5BE37E48FAC233D2591CF1F386C355CF15EC4F778BD0AB6BAA9265C2ABDC94A56CC22FF593122F40A0162CF231B61EEEEEDE62E1
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg t="1689331209569" class="icon" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg" p-id="13932" width="20" height="20" xmlns:xlink="http://www.w3.org/1999/xlink"><path d="M1024 1024H428.8v-70H954V439.8h70z" p-id="13933" fill="#ffffff"></path><path d="M796 70v726H70V70h726m70-70H0v866h866V0z" p-id="13934" fill="#ffffff"></path><path d="M200.2 398h465.6v70H200.2z" p-id="13935" fill="#ffffff"></path><path d="M398 200.2h70v465.6h-70z" p-id="13936" fill="#ffffff"></path></svg>

                                                                    C:\Program Files\douwan\dashboard\js\DlgDeviceGroupEditor.min.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:C++ source, Unicode text, UTF-8 text, with very long lines (643), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):671
                                                                    Entropy (8bit):5.297483927913364
                                                                    Encrypted:false
                                                                    SSDEEP:12:TW0X1fDAq+RWzYB63cBe1cQJqGeQGqR7fs5GzOzJ926PcIXcQocz2HtVDe:Tzxsq+RWzYB63J1fGqBfIGCzf2618g2m
                                                                    MD5:C2E1FF0F8A2710A16419607A7406923D
                                                                    SHA1:C5459312669FBB04616E8825DD04D339BD6856F3
                                                                    SHA-256:5B4E0FFA0F65C26B5D7A16BA8AF6CF1A0DB837C7CE805D28A1ACFA9A067B38F8
                                                                    SHA-512:113776DCF75D04C79BE9F7AF291DA229FFFB8E593760D527311D68B852E2BF94E2D1404CDB336D072C89631E1C3564DC1E5484A48622AA79A85C0C31788733EB
                                                                    Malicious:false
                                                                    Preview:class DlgDeviceGroupEditor{static run(e,t,n){const o='\n <select class="groupSelector">\n <option value="">...</option>\n {{# d.groups.forEach((item) => { }}\n <option value=\'{{= item.uid}}\'>{{= item.name}}</option>\n {{# }) }}\n </select>\n ';layui.laytpl(o).render({groups:t},t=>{layui.layer.open({type:1,title:"....... - "+e.window_title,content:t,maxWidth:232,btn:["..",".."],success:function(e,t,n){layui.form.render()},yes:function(e,t,o){let l;const i=o.layero.find(".groupSelector").val();""!==i&&(layui.layer.close(e),n(i))},cancel:function(e,t,o){n(null)}})})}}export{DlgDeviceGroupEditor};

                                                                    C:\Program Files\douwan\dashboard\js\DlgDevicePreview.min.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:C++ source, Unicode text, UTF-8 text, with very long lines (1189), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1235
                                                                    Entropy (8bit):5.043342921522443
                                                                    Encrypted:false
                                                                    SSDEEP:24:2IRhBvAUdLMIhqSKJrhBJrhgJrhkW9JrhZIHiKJrheJkY3fXqs9qOyRS:2ILBSIkSKJrzJrKJrNJrr6iKJr4JkY3l
                                                                    MD5:177DC6411E67E513105E89BF7DC7609B
                                                                    SHA1:0F1F2569D583EBA75F239917CFE00C2BFDA8D685
                                                                    SHA-256:14109F3867AB18C66213FD5B80F8C877950776B2508FE70B46B92EF37A844A0C
                                                                    SHA-512:14B81F2ED65DF9395EABDE0848405A6795FE9A5851F8E5578A003A571C5F249C12C081E29C35EF26BD1A7B964CF24A1A241B219F7B361EB700CE9D2E93A0FE97
                                                                    Malicious:false
                                                                    Preview:class DlgDevicePreview{static run(a,e,t){const i='\n <div class="DlgDevicePreview">\n <ul class="layui-nav" lay-filter="preview-nav">\n <li class="layui-nav-item">\n <a href="javascript:;">....</a>\n <dl class="layui-nav-child">\n <dd><a href="javascript:;" data-baritem="ctrlBack">..</a></dd>\n <dd><a href="javascript:;" data-baritem="ctrlHome">..</a></dd>\n <dd><a href="javascript:;" data-baritem="ctrlPower">...</a></dd>\n <dd><a href="javascript:;" data-baritem="ctrlNotify">....</a></dd>\n <dd><a href="javascript:;" data-baritem="ctrlAppSwitch">....</a></dd>\n <dd><a href="javascript:;" data-baritem="ctrlPointMode">....(iOS)</a></dd>\n </dl>\n </li>\n </ul>\n <div class="content" />\n </div>\n ';layui.laytpl(i).render(a,i=>{layui.layer.open({type:1,area

                                                                    C:\Program Files\douwan\dashboard\js\DlgGroupEditor.min.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:C++ source, ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):169
                                                                    Entropy (8bit):4.711280225491185
                                                                    Encrypted:false
                                                                    SSDEEP:3:yWtB2nlAXfZDEcBSadVXTFPJR1YCYLDSXDcZ9EcUpmAdi2CzFy:yG2lKfZYc0aPX/RYiXDcYcai2cy
                                                                    MD5:8FE3359CCB22B4465F80C71245304BF9
                                                                    SHA1:867768BF27328FF2FA934074AFC604D179705E63
                                                                    SHA-256:CC80D74E42D9D0D617923D69255913548312936058BBFAF6BE5E192564887AEC
                                                                    SHA-512:3900DE29D242053B45A1C51003366DC95EB89DF2BB7AAA3923EBB8DE8E26AB79969471BA6783DB090A6AE6573B159A390BDCD0B38CF711A7FB16489C30A7535F
                                                                    Malicious:false
                                                                    Preview:class DlgGroupEdit{static run(l,t,r){layui.layer.prompt({title:l,value:t},(function(l,t,u){if(""===l)return u.focus();layui.layer.close(t),r(l)}))}}export{DlgGroupEdit};

                                                                    C:\Program Files\douwan\dashboard\js\api.min.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:ASCII text, with very long lines (2438), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):2438
                                                                    Entropy (8bit):4.9375246389456775
                                                                    Encrypted:false
                                                                    SSDEEP:48:0MdH8bAsbXUycyAypp4ytBbKyB0vyHiyeyqB2yhLbyfybyEmyvyZydm:0MdH88sbkP96qkbKhkiNp2OLb+sY6Gsm
                                                                    MD5:37D07F893ECEA50995352D3FD0C56CD0
                                                                    SHA1:6A4404A5A7F0655ABADDC22ADD10219894CD4218
                                                                    SHA-256:903F97420CCF1107C7B425844ABD6F2854FC184F9B146C34E5ADA77E68DBDD63
                                                                    SHA-512:14325B74155192770CACEFE91C814941722F2721AA79A83A8460A64A86524B79B520E39C6E6519337966C03CDEE735298F59ADBAB385194ABC94A9CA9E28EEE5
                                                                    Malicious:false
                                                                    Preview:axios.defaults.crossDomain=!0,axios.defaults.headers.common={};export const DouWanRestfulCtrl={Back:"back",Home:"home",Power:"power",Notify:"notify",AppSwitch:"appswitch",PointMode:"pointmode"};export const DouWanRestfulMouse={Click:"click",Swipe:"swipe",Scroll:"scroll",Press:"press",Release:"release",Move:"move"};let s_service=null;export class DouWanRestfulService{apiHostPort="";static get defaultService(){return null==s_service&&(s_service=Object.seal(new DouWanRestfulService)),s_service}apiUrl(t){return this.apiHostPort+"/api"+t}async groupsSave(t){let e;return(await axios.post(this.apiUrl("/groups/allsave"),t)).data}async groupsLoad(){let t;return(await axios.post(this.apiUrl("/groups/allload"))).data}async deviceInfo(t){let e={dev_uuid:t},a;return(await axios.post(this.apiUrl("/device/info"),e)).data}async deviceSnapShot(t,e){let a={dev_uuid:t,crop:e},i;return(await axios.post(this.apiUrl("/device/snapshot"),a)).data}async deviceSnapShot2(t,e,a){let i={dev_uuid:t,format:e,max_wid

                                                                    C:\Program Files\douwan\dashboard\js\app.min.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Unicode text, UTF-8 text, with very long lines (6597), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):6703
                                                                    Entropy (8bit):5.284413563179407
                                                                    Encrypted:false
                                                                    SSDEEP:192:4b/4EcNT8EBc8ct7OwBySU9/m/Obhzhhqxfh+9sJosctZqTBRWcq:w/4EcNT8EBc8ct7OwBySU9/m/Obhzhcg
                                                                    MD5:80DD23D32BFA54DFD0CA8551AF861CEF
                                                                    SHA1:04B4438566A6E0B8A9F31FB5C6EE19F0C77FCDD4
                                                                    SHA-256:76ACC9FFEB05772299D7DDC872653AAF08EECEB3824BCDEDE4ECD192FA9129DF
                                                                    SHA-512:A8128DC1300617F16CEF8E0F5887F0FBEABD8A2C1046D3EEBF20E81FBBE61A6A09BB0FD8AF54FC9B9B18F6B4B6032F901937DD8122570D98F22AF3E653E17E17
                                                                    Malicious:false
                                                                    Preview:import{DouWanWSCtrl,DouWanWSService}from"./ws.min.js";import{DeviceService}from"./deviceServ.min.js";import{DeviceGrid}from"./deviceGrid.min.js";import{DlgGroupEdit}from"./DlgGroupEditor.min.js";import{DeviceGroupService}from"./deviceGroupServ.min.js";class Utils{static DevicesUuids(e){let i=[];for(let t of e)i.push(t.uuid);return i}}class DWDashBoardApp{_timerId=0;_elemSelector=layui.$("#grpSelector");_devService=Object.seal(new DeviceService(DouWanWSService.defaultService));_devGrpService=Object.seal(new DeviceGroupService(DouWanWSService.defaultService));_deviceGridElem=Object.seal(new DeviceGrid(layui.$(".deviceGrid"),this));syncCtrl=0;async _updateGroupDevices(){await this._devGrpService.loadAll(),await this._devService.syncAllDevices(),this._devGrpService.syncAllDevices(this._devService.allDevices())}_updateCurrentGroupDevices(){const e=this._elemSelector.val(),i=this._devGrpService.groupByUid(e);this._deviceGridElem.reload(i.devices)}_updateGroupSelector(){let e=this._elemSelect

                                                                    C:\Program Files\douwan\dashboard\js\deviceGrid.min.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:ASCII text, with very long lines (5548), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):5548
                                                                    Entropy (8bit):5.0407009747611715
                                                                    Encrypted:false
                                                                    SSDEEP:96:0IZgNL4weo4weozk4ncmJwepHtwe6rf/xue2cgesS+GLVL4HGvn9nlR8Ggp80G3h:0IZaL4No4NoQ4cmJNpHtN6rfZT2c9svS
                                                                    MD5:9EC84C3F86106C3B48A388323D4A3086
                                                                    SHA1:B567BC845418ED6207EBECE76A9FBEEF25690CDF
                                                                    SHA-256:08A0FB857B23E789380A7CAE37EC478CE6C0041560C7C3600262369FB5B15108
                                                                    SHA-512:D7F72D783198C85CA106BF3DE99B0020B43E7BA8DB2F4B7915A58ED5F75C4C068D089C16F5EB4B3137A43FBAE02B818D52819612368B2266A2731C9834BF85A5
                                                                    Malicious:false
                                                                    Preview:import{DeviceGridItem}from"./deviceGridItem.min.js";class DeviceGrid{_elemRoot=null;_elemContent=null;_delegate=null;_items=[];_selectedItems=[];_activeItem=null;_isMouseDown=!1;_isInPreview=!1;_posDown={x:0,y:0};_posMove={x:0,y:0};_boxPtStart={x:0,y:0};_elemSelectBox=null;constructor(e,t){this._elemRoot=e,this._elemContent=e.find(".content"),this._delegate=t,e.bind("selectstart",(function(){return!1})),this._registerEventHandler()}get activeItem(){return this._activeItem}setActiveItem(e,t){null!=this._activeItem&&this._activeItem.setActive(!1),this._activeItem=e,null!=e&&e.setActive(t)}_registerEventHandler(){const e=this;this._elemContent.on("mousedown",".devicePreviewItem",t=>{if(2&t.buttons)return;t.stopPropagation();const s=e._items[layui.$(t.target).closest(".devicePreviewItem").index()];e.setActiveItem(s,!0)}),this._elemContent.on("mousedown",".devicePreviewItem .titlebar",t=>{if(2&t.buttons)return;t.stopPropagation();const s=e._items[layui.$(t.target).closest(".devicePreviewIte

                                                                    C:\Program Files\douwan\dashboard\js\deviceGridItem.min.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Unicode text, UTF-8 text, with very long lines (4801), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4819
                                                                    Entropy (8bit):5.254528297418376
                                                                    Encrypted:false
                                                                    SSDEEP:96:njOF+XAPc9bIdCiOrJKZh+3Ous21BIXZQV9dqHR0E5EaELZC:u+Xf9bIdCJKZeIXZSaR/+1LZC
                                                                    MD5:2E9F357E531D5E17D62392D7162E4D2A
                                                                    SHA1:F15A76B7FB0B04BFE073454E74C2C44C32E9D780
                                                                    SHA-256:16AC7A75492789B1FB8424C1EB9BA74D9101AFDA4DB39C5389AAAC13942F9774
                                                                    SHA-512:6035F524FC2F68369FF369D037A7E911A9A4E8DF426A0C434EABC063E932E9FE9DE93FE44539FF1446CF2E86146CDD85FA4A1449737913C73635901AC6847CE2
                                                                    Malicious:false
                                                                    Preview:import{DouWanWSService,DouWanWSMouse,DouWanWSCtrl}from"./ws.min.js";import{DlgDeviceGroupEditor}from"./DlgDeviceGroupEditor.min.js";import{DlgDevicePreview}from"./DlgDevicePreview.min.js";import{DlgGroupEdit}from"./DlgGroupEditor.min.js";class DeviceGridItem{_elem=null;_elemPreview=null;_device=null;_isMouseDown=!1;_lastMouseEvent=null;_inDetail=!1;_tplt='\n <div class="devicePreviewItem">\n <div class="titlebar">\n <label>{{= d.window_title }}</label>\n <i class="icon icon-group"></i>\n <i class="icon icon-edit"></i>\n <i class="icon icon-detail"></i>\n </div>\n <img class="preview" draggable="false" />\n </div>\n ';constructor(e){this._device=e;const t=this;layui.laytpl(this._tplt).render(e,e=>{t._elem=layui.$(e),t._elemPreview=t._elem.find(".preview")}),this._elemPreview.on("load",e=>{const t=window.URL||window.webkitURL;t.revokeObjectURL(e.target.src)})}get elemRoot(){return this._elem}get elemIndex(){return

                                                                    C:\Program Files\douwan\dashboard\js\deviceGroupServ.min.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:C++ source, Unicode text, UTF-8 text, with very long lines (2365), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):2377
                                                                    Entropy (8bit):5.006516983665124
                                                                    Encrypted:false
                                                                    SSDEEP:48:uWONSaImctMAT4kaexVSVpFpE2egJ0onxqIbI4p:akjMNYWjnxqIRp
                                                                    MD5:618C5028C449F8E15EC544CB90F7CDEF
                                                                    SHA1:E0ADD391453AC2FBA632F901ADBD9EBC869C3BDB
                                                                    SHA-256:C37A6F5EE7E85F486736F426D1CE5AEF52B1482EC9C48B055FA2C570994AE044
                                                                    SHA-512:D132B2A37FA34081F985202309F752892CDA801013DF0177EFDDE2B81390F123730EB3ADC28D66D3D75805310905D20CE17CF15B060AA89E67674CE2E2304695
                                                                    Malicious:false
                                                                    Preview:class DeviceGroup{_uid=0;_name="";_devUuids=[];_devices=[];constructor(e,i){this._uid=e,this._name=i}get uid(){return this._uid}get name(){return this._name}set name(e){this._name=e||""}get devices(){return this._devices}set devices(e){this._devices=e.slice()}get devUuids(){return this._devUuids}set devUuids(e){this._devUuids=e.slice()}addDevice(e){let i=this.devices.indexOf(e);-1==i&&this.devices.push(e),i=this.devUuids.indexOf(e.uuid),-1==i&&this.devUuids.push(e.uuid)}removeDevice(e){let i=this.devices.indexOf(e);-1!=i&&this.devices.splice(i,1),i=this.devUuids.indexOf(e.uuid),-1!=i&&this.devUuids.splice(i,1)}toJson(){let e=[];return this.devices.forEach(i=>{e.push(i.uuid)}),{uid:this._uid,name:this._name,devUuids:e}}}class DeviceGroupService{_wsService=null;_uidNext=0;_grpList=[];_ungroupped=null;constructor(e){this._wsService=e,this._uidNext=1,this._ungroupped=this.addGroup("...")}get ungroupped(){return this._ungroupped}_nextUid(){this._uidNext++}addGroup(e){let i=new DeviceG

                                                                    C:\Program Files\douwan\dashboard\js\deviceServ.min.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:C++ source, ASCII text, with very long lines (416), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):416
                                                                    Entropy (8bit):4.907661658781714
                                                                    Encrypted:false
                                                                    SSDEEP:6:yjjWjjx2fE9PROk46mauXxLAISMFyOLNNwaXNVx3HHRr6/mMUK9qMXNASMOfNEi9:uyjjMfEb5AXBdxLNjXZAUKq0NAiNE/j8
                                                                    MD5:BF22FCDE858FCBF2FBA3C107F7945A40
                                                                    SHA1:5E7A05CCD8113B7A774BDE67CE5DA0F59CF71C08
                                                                    SHA-256:30D95DFFFE77BD8F8ED20EF1AC97C5719353835BDB96B1927DCF25EF7F0BCA8E
                                                                    SHA-512:CAB83B68DB6DFD58E5A38399D5407899CEFD6EF7ED6AEF80E35B7AEBF339432812AF19FF73D34B2507E7AA7DF6D44E6898B9B2BA92A21196386B49FAF0498A1D
                                                                    Malicious:false
                                                                    Preview:class DeviceService{_wsService=null;_devices=[];constructor(e){this._wsService=e}allDevices(){return Array.from(this._devices)}async syncAllDevices(){try{let e=await this._wsService.devicesList();0==e.code&&(this._devices=e.data.device_list)}catch(e){this._devices=[];for(let e=1;e<=40;e++){let i={cast_type:2,device_name:"Android",window_title:e,uuid:"192.168.16."+e};this._devices.push(i)}}}}export{DeviceService};

                                                                    C:\Program Files\douwan\dashboard\js\ws.min.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Unicode text, UTF-8 text, with very long lines (2446), with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):2470
                                                                    Entropy (8bit):5.2596577567267
                                                                    Encrypted:false
                                                                    SSDEEP:48:+FHwb5lsEaL4oEzmuPKHSuCiVEEVmzjM78m+IZ8j9Rk:+FHwbAEaL4X6JHSBnVs78G8hRk
                                                                    MD5:3ABDC1F21C32657A69229E18C3F29A2C
                                                                    SHA1:9BDE28A961AB5544D88784D0F982D7C456761519
                                                                    SHA-256:E68F78F4BC408E0AE93E8886954223A24CDD5DB09043A12F425BDF374729D3A8
                                                                    SHA-512:09605C62787BA76028B1B804481B5CB232B42C9E1814DAA81C0A1A43555F046D7332886E200F351EC5EE81E64B4DE2009F33328E36DA6575062BB8F2CDFC44B3
                                                                    Malicious:false
                                                                    Preview:let s_wsService=null;export const DouWanWSCtrl={Back:"back",Home:"home",Power:"power",Notify:"notify",AppSwitch:"appswitch",PointMode:"pointmode"};export const DouWanWSMouse={Click:"click",Swipe:"swipe",Scroll:"scroll",Press:"press",Release:"release",Move:"move"};export class DouWanWSService{static Notify={DeviceChange:"DouWanWSService.Device.Change"};apiWS="";_reqCount=0;_wsSocket=null;_reqHandles={};static get defaultService(){return null==s_wsService&&(s_wsService=Object.seal(new DouWanWSService)),s_wsService}start(e){if(null!=this._wsSocket)return;const t=this;let i=new WebSocket(this.apiWS);i.onclose=()=>{console.log("...."),e(!1)},i.onerror=t=>{console.log("...."),e(!1,t)},i.onopen=t=>{console.log("....",t),e(!0)},i.onmessage=e=>{t._handleResp(e.data)},this._wsSocket=i}deviceWindowTitle(e,t){let i={dev_uuid:e,window_title:t};return this._sendReq({api:"/device/windowtitle",params:i})}deviceMouse(e,t){let i={input:t,dev_uuid:e};return this._sendReq({api:"/de

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\CORS

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:P:P
                                                                    MD5:3389DAE361AF79B04C9C8E7057F60CC6
                                                                    SHA1:DF58248C414F342C81E056B40BEE12D17A08BF61
                                                                    SHA-256:684888C0EBB17F374298B65EE2807526C066094C701BCC7EBBE1C1095F494FC1
                                                                    SHA-512:7846CDD4C2B9052768B8901640122E5282E0B833A6A58312A7763472D448EE23781C7F08D90793FDFE71FFE74238CF6E4AA778CC9BB8CEC03EA7268D4893A502
                                                                    Malicious:false
                                                                    Preview:*

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\css\icon.css

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1953
                                                                    Entropy (8bit):4.927543074445271
                                                                    Encrypted:false
                                                                    SSDEEP:48:L1ZZcC0l9P8Bsg/MoqHuDijQeuGAHb4f0pMTT:L1Zh0l1Vg/MoqHuDijduGAHb4f0pMTT
                                                                    MD5:BC3D569152FDE761EB8BDA1584F4B8E7
                                                                    SHA1:2E4EE49FB13F6D287806CE1B280F0B9DC7C8F5F6
                                                                    SHA-256:D41498F51B75320A27FF0A64C2AD7368DDB1005849F91931EDB9D80697FBB104
                                                                    SHA-512:96426D95B5F3C7BBF64BE5CA147655AAADCD41E6382EF778EDFFCBBC8B609EB2633ECE61FD7E6DBEF4F3F90A9CF804F3E8F3A4C5650E357F52567557E61674A0
                                                                    Malicious:false
                                                                    Preview:..@font-face {.. font-family: 'eletree_icon';.. src: url('../fonts/eletree_icon.eot?uccppv');.. src: url('../fonts/eletree_icon.eot?uccppv#iefix') format('embedded-opentype'),.. url('../fonts/eletree_icon.ttf?uccppv') format('truetype'),.. url('../fonts/eletree_icon.woff?uccppv') format('woff'),.. url('../fonts/eletree_icon.svg?uccppv#eletree_icon') format('svg');.. font-weight: normal;.. font-style: normal;.. font-display: block;..}....[class^="eletree_icon-"], [class*=" eletree_icon-"] {.. /* use !important to prevent issues with browser extensions that change fonts */.. font-family: 'eletree_icon' !important;.. speak: never;.. font-style: normal;.. font-weight: normal;.. font-variant: normal;.. text-transform: none;.. line-height: 1;.... /* Better Font Rendering =========== */.. -webkit-font-smoothing: antialiased;.. -moz-osx-font-smoothing: grayscale;..}.....eletree_icon-check_half:before {.. content: "\e904";..}...eletree_icon-check_none:before {.. co

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\eleTree.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Unicode text, UTF-8 text, with very long lines (48612), with CRLF, NEL line terminators
                                                                    Category:dropped
                                                                    Size (bytes):165060
                                                                    Entropy (8bit):5.351058970904207
                                                                    Encrypted:false
                                                                    SSDEEP:3072:KuUJIdMwy2QOojvdlAY3FH6O/Xy8PI4TyArI:WJIdMwy2QOojvdfJRwdArI
                                                                    MD5:01B5ADBB12E402C4244332C3927DC5DC
                                                                    SHA1:385DDF4569A0CB645E1164DA0C850D681CFA0BCC
                                                                    SHA-256:FDC9187CDCF3654DC1799215EECEBB868D32A3038CC3EA18FBD371A496D7DA3E
                                                                    SHA-512:3AB5046B956E08EAEB2E242CEA16E2856D566F69151E82DA81DF9781B89996857EE6AA8BE44084B070FAD6C6DEF1CDE92E487F46CEC8719C82E2C1BB893AAA58
                                                                    Malicious:false
                                                                    Preview:/*!.. * .. * @name: eletree.. * @version: 2.3.2.. * @description: Tree component based on virtual dom.. * @author: hsianglee.. * @license: MIT.. * @repository: https://github.com/hsiangleev/eleTree.git.. * .. */..!function(e,t){if("object"==typeof exports&&"object"==typeof module)module.exports=t();else if("function"==typeof define&&define.amd)define([],t);else{var n=t();for(var r in n)("object"==typeof exports?exports:e)[r]=n[r]}}(window,(function(){return function(e){var t={};function n(r){if(t[r])return t[r].exports;var i=t[r]={i:r,l:!1,exports:{}};return e[r].call(i.exports,i,i.exports,n),i.l=!0,i.exports}return n.m=e,n.c=t,n.d=function(e,t,r){n.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:r})},n.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},n.t=function(e,t){if(1&t&&(e=n(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var r=Ob

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.eot

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Embedded OpenType (EOT), icomoon family
                                                                    Category:dropped
                                                                    Size (bytes):7208
                                                                    Entropy (8bit):5.6119705866574385
                                                                    Encrypted:false
                                                                    SSDEEP:96:PfHbqrkmlhjGCBuYk5dVUZKwVHoEzcXkFJPLCH2E0Etq06vddlPV2DG:7+kkhjYYsGVH9YUXW7qlPV2K
                                                                    MD5:BEBE81AA1BE23C66C42FCBFAFCBCE1F0
                                                                    SHA1:04CFD5DE1F03573C01E7138F5E8A2F7CB4A2A892
                                                                    SHA-256:30DDCBD0303CFC43ECE37A35F6501307355E3F836229B9B8C545D3B318441809
                                                                    SHA-512:8592D3D460E7822567E1C2A22C61D2FD69227C58B467F360BB81973C6A3FC6E7E52B2E3C6E47E54F6BFD59E49CEE1DCB99FA117489BEB37D42CBAFF62166E066
                                                                    Malicious:false
                                                                    Preview:(.................................LP.........................?......................i.c.o.m.o.o.n.....R.e.g.u.l.a.r.....V.e.r.s.i.o.n. .1...0.....i.c.o.m.o.o.n................0OS/2...H.......`cmap..z.........gasp............glyf#.m....... head.).D.......6hhea...........$hmtxK......4...Xloca..$.........maxp.#......... name.J..........post.......d... ...........................3...................................@...V.....@...@............... .................................x............. ...$./.|.....T.V......... ...$./.|.....T.V...................f..........................................................79..................79..................79...........[...C..%..#!.....+."&5467!"&546?.#"&546?.#"&546?.>.32........+.......+......[.........................q................p.........n...9......9............................................I...n. .^...4&#"...........3267>.767>.763265%............#"&'..#".#"&'..54654&'..547>.76767>.767>.32..........L@?p222........'.'%%O,,5...%.....

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.svg

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:SVG Scalable Vector Graphics image
                                                                    Category:dropped
                                                                    Size (bytes):23543
                                                                    Entropy (8bit):4.1306847482489815
                                                                    Encrypted:false
                                                                    SSDEEP:384:cD9MxgF7jMLyKJd5AYJ0EtHrwff8UpXkTXgkQ3Lc9KRgnqk1UHMec1ieylPgv4:cRMevOaY06HrrUpYpQ3Lcq/woPPgv4
                                                                    MD5:CF8069B57C731B670064AEA169F9114D
                                                                    SHA1:B601B1C3EF4C8431164A1E10FA44FEE2FB2F9D46
                                                                    SHA-256:44A9E973C2573806A48CD88C1FB7E342068158EDF405C620B121D288B7179BB5
                                                                    SHA-512:5992C63D49A8F9B521D17E5FA1D2E6B24F1AC814F21F9EAA3200FE4E51AB7D508B7F913E38F7368AD712505E14EEF2AC16527DA5297E1CE0F277399BB9BF248D
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" standalone="no"?>..<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >..<svg xmlns="http://www.w3.org/2000/svg">..<metadata>Generated by IcoMoon</metadata>..<defs>..<font id="icomoon" horiz-adv-x="1024">..<font-face units-per-em="1024" ascent="960" descent="-64" />..<missing-glyph horiz-adv-x="1024" />..<glyph unicode="&#x20;" horiz-adv-x="512" d="" />..<glyph unicode="&#xe900;" glyph-name="eletree_icon-tree_fold" horiz-adv-x="878" d="M859.429 109.714c0-20-16.571-36.571-36.571-36.571h-264c1.714-36.571 6.286-74.857 6.286-112 0-18.857-15.429-34.286-34.857-34.286h-182.857c-19.429 0-34.857 15.429-34.857 34.286 0 37.143 4.571 75.429 6.286 112h-264c-20 0-36.571 16.571-36.571 36.571 0 9.714 4 18.857 10.857 25.714l229.714 230.286h-130.857c-20 0-36.571 16.571-36.571 36.571 0 9.714 4 18.857 10.857 25.714l229.714 230.286h-112.571c-20 0-36.571 16.571-36.571 36.571 0 9.714 4 18.857 10.857 25.714l219.429 219.429c6.857 6.857 16 10.85

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.ttf

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:TrueType Font data, 11 tables, 1st "OS/2", 14 names, Macintosh, type 1 string, icomoon
                                                                    Category:dropped
                                                                    Size (bytes):7044
                                                                    Entropy (8bit):5.634037045720555
                                                                    Encrypted:false
                                                                    SSDEEP:96:zHbqrkmlhjGCBuYk5dVUZKwVHoEzcXkFJPLCH2E0Etq06vddlPV2DG:P+kkhjYYsGVH9YUXW7qlPV2K
                                                                    MD5:F2A86A599C879D05441AD014734CD8BD
                                                                    SHA1:88030278B5008DE7D96278CCFBE7EFC5797518E0
                                                                    SHA-256:9F00CE76B5A225AA66EFEEBDA8E8D7B7BDB0D79708700721594FB0C71CC5D1EE
                                                                    SHA-512:3C1BF50F2B3D14B8D7377E169DF9F385840AF9BAEF9299F2E7ED4F432BD8E4FE241E1B3845E9E059FD609408112C89647B7F877B46A5CF792B0F8798FA5D445B
                                                                    Malicious:false
                                                                    Preview:...........0OS/2...H.......`cmap..z.........gasp............glyf#.m....... head.).D.......6hhea...........$hmtxK......4...Xloca..$.........maxp.#......... name.J..........post.......d... ...........................3...................................@...V.....@...@............... .................................x............. ...$./.|.....T.V......... ...$./.|.....T.V...................f..........................................................79..................79..................79...........[...C..%..#!.....+."&5467!"&546?.#"&546?.#"&546?.>.32........+.......+......[.........................q................p.........n...9......9............................................I...n. .^...4&#"...........3267>.767>.763265%............#"&'..#".#"&'..54654&'..547>.76767>.767>.32..........L@?p222........'.'%%O,,5...%.....O33;:.A*S'.D..6&.....q......U78=,@@.99..#$.......%....;++6........(.#.......q.7.B87[%%.. ...'u.....-E.."....E::\""........."..H$$......>...y........."/.&47..&4?.62.

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\fonts\eletree_icon.woff

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Web Open Font Format, TrueType, length 7120, version 0.0
                                                                    Category:dropped
                                                                    Size (bytes):7120
                                                                    Entropy (8bit):5.619627620650974
                                                                    Encrypted:false
                                                                    SSDEEP:96:GezbqrkmlhjGCBuYk5dVUZKwVHoEzcXkFJPLCH2E0Etq06vddlPV2DG:bn+kkhjYYsGVH9YUXW7qlPV2K
                                                                    MD5:4111DE0E495E954FAAE52A2A3DC8F1A0
                                                                    SHA1:ED34F6A3B6CE13ED5B7D18283073321D0C2AEC5D
                                                                    SHA-256:224D0BD9D5343C70B29CF46BD382962A87AB58387130BF3893D6C01780B5801F
                                                                    SHA-512:192E05D688EE262FFA18FB91648A5AC0EF44F9CF676D48C560769358AF2B333D522B3842BA44BA0EE3CD585B718E0B0A309033B86FE32E4152A481C0FA49E08C
                                                                    Malicious:false
                                                                    Preview:wOFF........................................OS/2.......`...`...Hcmap...h..........z.gasp................glyf....... ... #.mhead...$...6...6.).Dhhea...\...$...$....hmtx.......X...XK...loca..............$.maxp....... ... .#..name...(.........J..post....... ... ...............................3...................................@...V.....@...@............... .................................x............. ...$./.|.....T.V......... ...$./.|.....T.V...................f..........................................................79..................79..................79...........[...C..%..#!.....+."&5467!"&546?.#"&546?.#"&546?.>.32........+.......+......[.........................q................p.........n...9......9............................................I...n. .^...4&#"...........3267>.767>.763265%............#"&'..#".#"&'..54654&'..547>.76767>.767>.32..........L@?p222........'.'%%O,,5...%.....O33;:.A*S'.D..6&.....q......U78=,@@.99..#$.......%....;++6........(.#.......q.7.B87[%%..

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\images\checkFull.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGB, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):1135
                                                                    Entropy (8bit):6.479984313601769
                                                                    Encrypted:false
                                                                    SSDEEP:24:OV6y1he91Wwjx82lY2T3ouVO4QayJ3VuBzCfGe+NUGdTku7nP:OV6wqQNn2xsxhJ3wlCfbNGdb
                                                                    MD5:64E200699A953FFBF2F912E536B04307
                                                                    SHA1:2DEABCC196AF691E99A4B675231E9B4704968089
                                                                    SHA-256:B97B706D0708C0701ACDA1494F5B0E7B06AFF2E71D4750F4871336DD2E585272
                                                                    SHA-512:103ABDB26BD50812FAC2C74B97D7005093EB771AC1B5859546403B8F4684D1DEDD724F0DC094F6DE0CFDFB2BFE6DBBD05FDE8DBF7CBA05F665D90877A896A230
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR....................tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:765495F0B03A11EAAE44DF91BF362DF6" xmpMM:DocumentID="xmp.did:765495F1B03A11EAAE44DF91BF362DF6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:765495EEB03A11EAAE44DF91BF362DF6" stRef:documentID="xmp.did:765495EFB03A11EAAE44DF91BF362DF6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.w.K....IDATx..1.D@...1... q.Z..($....B.P(t.....D...F2fgw......%....i..q$r.,.4MU.y..t.u.....Q..,..,..4..I).$IQ...

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\images\checkHalf.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGB, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):1010
                                                                    Entropy (8bit):6.101294739173812
                                                                    Encrypted:false
                                                                    SSDEEP:24:OV6y1he91Wwjx82lY2T3ouVHKKyJ3VlWj8GXbCFTk:OV6wqQNn2xJAJ3q8yCG
                                                                    MD5:7B03C7D0370687B680B5B77B64459C31
                                                                    SHA1:07C0076F0B4678E49762A473077824D08937675E
                                                                    SHA-256:C85A07F06DEE1CEC43D8F41FB342EF2014F636DE92EAD5FF16F7F921C3D77FDF
                                                                    SHA-512:E2BF04C222A98C0138C8D9484ABA3DD073EC10963EF83D085C9EC4FBBEF9371545B3398946FF219340AD326EB5D4A0FCF0C1E27A117B996DE01FB64A067E410B
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR....................tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:05A2D9E2B03A11EA977ED039D9B7D9EF" xmpMM:DocumentID="xmp.did:05A2D9E3B03A11EA977ED039D9B7D9EF"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:05A2D9E0B03A11EA977ED039D9B7D9EF" stRef:documentID="xmp.did:05A2D9E1B03A11EA977ED039D9B7D9EF"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>3.Z....fIDATx.b\.p.K..^..@.......c....y.&......?~.ic ...11....6.d....(uuu..m.... W.0..............T....`...."...l..

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\images\checkNone.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGB, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):1009
                                                                    Entropy (8bit):6.121955830489072
                                                                    Encrypted:false
                                                                    SSDEEP:24:OV6y1he91Wwjx82lY2T3ouVu8TyJ3VC1GdWb0y7:OV6wqQNn2xTuJ32v/7
                                                                    MD5:A39E6C554CA285F4DC2A624D59BCDF9B
                                                                    SHA1:F59CFEAB2A4097506D69C59C98CB7BF9A7BC3D94
                                                                    SHA-256:9E9EA71DB25C6AC375C18AFBDED42436A6D7E1ABD4A8C6795A558EA707925BBF
                                                                    SHA-512:2F25B402005A2CFDA3780A119A261C1647D1F69A6802DF9E0E1BDF8CA6226D1D675700CC098257E0E78690F0E779F36A3F7DC4E314B6C7EAD16BD4D1090FC7C7
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR....................tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:4A0529FBB03A11EABBAFC8137522F908" xmpMM:DocumentID="xmp.did:4A0529FCB03A11EABBAFC8137522F908"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4A0529F9B03A11EABBAFC8137522F908" stRef:documentID="xmp.did:4A0529FAB03A11EABBAFC8137522F908"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..,}...eIDATx.b\.p.K..^..@.......c....y.&......?~dy..!..{.n"......01..F..j.l.X......x=@-L.<'//O...b......<...ATR....

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\images\dropdownOff.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PNG image data, 29 x 29, 8-bit/color RGBA, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):1517
                                                                    Entropy (8bit):7.1279829440340725
                                                                    Encrypted:false
                                                                    SSDEEP:24:My1he91Wwjx82lY2T3ouVRKDyxLyJ3VRGTqyP8GDV39DglpgXTotGChNzZKR4DyY:MwqQNn2xoJ3qaYVtDWCTqdZKEL
                                                                    MD5:24D8E00AF6AC2CD281A305620218BB6A
                                                                    SHA1:FFC5678BF2482BF3B53935599C4B488A7F93947D
                                                                    SHA-256:ADA66BAFF96EEC5E6BDD6D53119833943F63A134ADB0A45A5C2424B7883427EC
                                                                    SHA-512:58BC931FA609AF56EE7097C56AFAC2641F40A613AE5FF68FACFF7BEBBCFEB0C0E8E4771F2F1DBD24AB05E9772C5FA8C4FC331874C16648639B561D7B36819B23
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR.............V.g.....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:D609CDCE2AE411EAA2838AF127E7B29B" xmpMM:DocumentID="xmp.did:D609CDCF2AE411EAA2838AF127E7B29B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D609CDCC2AE411EAA2838AF127E7B29B" stRef:documentID="xmp.did:D609CDCD2AE411EAA2838AF127E7B29B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>gX\Y...aIDATx..Mk.A....^.$..;........x...d...&..+.....B..z...{..-....<(X..'/1.......\........y&8.L..)....r....

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\images\dropdownOn.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PNG image data, 29 x 29, 8-bit/color RGBA, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):2124
                                                                    Entropy (8bit):7.478179444495855
                                                                    Encrypted:false
                                                                    SSDEEP:48:MwqQNn2xiJ3SAYM92mq7cmiMm0/fJpz72:cY2b0Em4DiMmAp32
                                                                    MD5:68ABB5FDDB1D51AC5B9D05E18873C988
                                                                    SHA1:6F6421D23DD14BE5A8925A2492742251D1C9D7FF
                                                                    SHA-256:C354EDAEFDCC3F20B891BA4FA11F9A259784439C32D69DD370D46E24AA0E2138
                                                                    SHA-512:722AFC20D2174D3D5ABCE6009D80109ECBBEB9FC77426242B8814E6B32A502D40E6F99DB3BD4764C32BDC80009D38DC14F40037D064F33BF260201E7B37603BA
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR.............V.g.....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:FCE0221B2AE411EAAD81A951E8AD321F" xmpMM:DocumentID="xmp.did:FCE0221C2AE411EAAD81A951E8AD321F"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FCE022192AE411EAAD81A951E8AD321F" stRef:documentID="xmp.did:FCE0221A2AE411EAAD81A951E8AD321F"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..`.....IDATx..V[L.U.>3...P`)-`[... .e..[0..R..C.X.Q.hic.....O5.U...&...IK....]..K..v.....eA.f.~.3.@.\.4...?..g......

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\images\fold.jpg

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 13x16, components 3
                                                                    Category:dropped
                                                                    Size (bytes):1188
                                                                    Entropy (8bit):6.140576424944464
                                                                    Encrypted:false
                                                                    SSDEEP:24:zK1he91Wwjx82lY2T3ouVeeFL4elyJ3VlOeAueKGxtysuZv:UqQNn2xDNjUJ3Z+Kak5
                                                                    MD5:002BD7B6BAC4E2968865B7AD4ED1FB03
                                                                    SHA1:BCBCA24C51D5D0348388DF6A66C78A7EADB1FD08
                                                                    SHA-256:3FF55BCE0E33CFBE82645DE1F31B581ADDA4814C3717EC1231C5917B1D432E7B
                                                                    SHA-512:2668837D955C828BDFE0687F39204184CF8287FEC465B89B600B5E97FE8B27FC2E5C831C9E06568934732881B6E83BA44AFB44A6AB85FCC5EFE809C8CB3C4E8E
                                                                    Malicious:false
                                                                    Preview:......Exif..II*.................Ducky.............+http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:3A559AFDAEC811EA979FAF8F0A6A1425" xmpMM:DocumentID="xmp.did:3A559AFEAEC811EA979FAF8F0A6A1425"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3A559AFBAEC811EA979FAF8F0A6A1425" stRef:documentID="xmp.did:3A559AFCAEC811EA979FAF8F0A6A1425"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...............................................#%'%#.//33//@@@@@@@@@@@@@@@......................&.....&0#....#0+.'''.+550055@@?@@

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\images\fold.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PNG image data, 13 x 16, 8-bit/color RGB, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):1352
                                                                    Entropy (8bit):6.9053996669887985
                                                                    Encrypted:false
                                                                    SSDEEP:24:nXy1he91Wwjx82lY2T3ouV3a7yS4yJ3V5Lr5GJ7qnfbfkSZOSAWlGea:nXwqQNn2x4+6J3BSqTcS/JW
                                                                    MD5:D6E9F823419EE5F7F385112B4E6297AE
                                                                    SHA1:E11AACB932FC277EAA4479221A43565676D2934B
                                                                    SHA-256:CB983D04B9F2870A73F8E2A6B3E17B3C91F78138453CEDDBE3C38D7310851088
                                                                    SHA-512:02DC657B71CFF2B2287E12CE9E4D013C7E2F47D90310CD9C6EBFFDB2A6BFB763FD6E7111F58C145D11AF5FBCBE1688469F83F3F3D26915D759F891392223C18B
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR.............B.bn....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:AB663B16AFB111EA8DCF93E7940B8904" xmpMM:DocumentID="xmp.did:AB663B17AFB111EA8DCF93E7940B8904"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:AB663B14AFB111EA8DCF93E7940B8904" stRef:documentID="xmp.did:AB663B15AFB111EA8DCF93E7940B8904"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>A.......IDATx.,.on.A..g<;..i....^..#pC..WNPUHD@ECH....c.M..F...........ld|..=.......'...!^?...>~fKJ...o..3Rgy(7.:....R

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\images\leaf.jpg

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 13x16, components 3
                                                                    Category:dropped
                                                                    Size (bytes):1252
                                                                    Entropy (8bit):6.241716396813502
                                                                    Encrypted:false
                                                                    SSDEEP:24:tK1he91Wwjx82lY2T3ouVmKaqVyJ3VoQ4hYGuMv+PmDzAJHe:qqQNn2x4KjkJ32f6R+zP
                                                                    MD5:DDC9184B73D8C326C65944EB916C85CE
                                                                    SHA1:5AC56EAA37BCE0545CDC6CB14B4EFD1C850CCF90
                                                                    SHA-256:A3EACB2E66D53682B61E6F9A6A7406972C939AD88E2627D4720FB84E2341DE81
                                                                    SHA-512:A692E2F5E327AE2929DFBB91B3FF890CB8658F4CCE32519A2B93E86FD7108C0ED069748F4C35251B5FC0079E670C58DCF2E3E007299F2255735D56DC42554CE4
                                                                    Malicious:false
                                                                    Preview:......Exif..II*.................Ducky.......<.....+http://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:27D28317AEC811EA9031F95802140737" xmpMM:DocumentID="xmp.did:27D28318AEC811EA9031F95802140737"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:27D28315AEC811EA9031F95802140737" stRef:documentID="xmp.did:27D28316AEC811EA9031F95802140737"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\images\leaf.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PNG image data, 13 x 16, 8-bit/color RGB, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):1300
                                                                    Entropy (8bit):6.8212025226423165
                                                                    Encrypted:false
                                                                    SSDEEP:24:nXy1he91Wwh82lYSgYQFVoQeT3ouyJ3VmQqhYGUP4jNJpV2T2tvidyv2/KWu:nXwqQvnlF/eIJ34B6YNJ72T2tqd62/W
                                                                    MD5:DE644A6870C53E4E80010BAFB3E05721
                                                                    SHA1:823DF1B2E524F8159692A911B8802B25EBC66F66
                                                                    SHA-256:BE4C8D2310F8DA0F03D2405AFB360F3A58F50814931092A483E18F23B80CBBAE
                                                                    SHA-512:89DB23294C403AB5A054A1A5D50EFF7A6BA80B8EF111E30A3C6E155582D4AD33A6875951D7B4C52240B535FFBCE0848A22A4856683DFB664016D1F3F22AA3F95
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR.............B.bn....tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:C749B758AFB111EAA85EC75ABD92958A" xmpMM:InstanceID="xmp.iid:C749B757AFB111EAA85EC75ABD92958A" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:27D28317AEC811EA9031F95802140737" stRef:documentID="xmp.did:27D28318AEC811EA9031F95802140737"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.u......IDATx.<.K..@..3..L|....[.Kx....\x......S..$.........NOMUu..f..........k..\k.:..V..p8...x.X.y....~. H....x...

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\images\radioCheck.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGB, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):1527
                                                                    Entropy (8bit):7.086048558361616
                                                                    Encrypted:false
                                                                    SSDEEP:24:OV6y1he91Wwjx82lY2T3ouVIjEua7HyJ3VIKOVGGFxlLzZRmktsAr1fGomiU7zwX:OV6wqQNn2xEluSJ3XRcDzf/B1+sU/qDb
                                                                    MD5:610E7ECD5E891C358D9B62B624CF2B1B
                                                                    SHA1:0EC498E798A7282AED72644C75BDE62DC410B014
                                                                    SHA-256:D7C01BDB246E176A3DA2ED079A31256D6CA36FF0CA58F472F9AD17C0FB88CC94
                                                                    SHA-512:BF3DC98D1ED025112BF316B1C9D241A6BDE9806080AB7DDE5AC24F1375F272A765B7A53B3E3AFD3D15738AF693FA872FE5487DF94EE725E3FE84C13648A3692B
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR....................tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:20C696AFBF5F11EA921C96BE28E8C617" xmpMM:DocumentID="xmp.did:20C696B0BF5F11EA921C96BE28E8C617"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:20C696ADBF5F11EA921C96BE28E8C617" stRef:documentID="xmp.did:20C696AEBF5F11EA921C96BE28E8C617"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>A......kIDATx..]O.`.........{a.-.$..... ..>..#.?.z.%..K.-.e....@......++.c].P......'.8.s~..<._R.u..+...Ws.c....9.

                                                                    C:\Program Files\douwan\dashboard\vendors\eleTree\images\radioCheckNone.png

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PNG image data, 18 x 18, 8-bit/color RGB, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):1198
                                                                    Entropy (8bit):6.619673169053483
                                                                    Encrypted:false
                                                                    SSDEEP:24:OV6y1he91Wwjx82lY2T3ouVH8Y7r8SLyJ3Vp8h7p87bGzAitRYhOD58IS8:OV6wqQNn2x4J3LOAWuhc5bS8
                                                                    MD5:F2F4DB0D205412B2392772FC4BF4F346
                                                                    SHA1:0424588728FA2656F1B6948CB01CFCD7BEFB2D1E
                                                                    SHA-256:3B251071ED53D30C0C8C8EF5924E19BC9A2D335F8ECEDFFC676345B5D4D81C85
                                                                    SHA-512:113F6A8BF167FF27E9D2FD8BAD175090D24A56E34423733E757D8AD327F35B21CB0494D5E26D1BA7EC05DB76A717DFE1B6215C547130F73598FAE80EF9F8D4CD
                                                                    Malicious:false
                                                                    Preview:.PNG........IHDR....................tEXtSoftware.Adobe ImageReadyq.e<..."iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:344C9CD5BF5F11EA81FACE294A8E2DB2" xmpMM:DocumentID="xmp.did:344C9CD6BF5F11EA81FACE294A8E2DB2"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:344C9CD3BF5F11EA81FACE294A8E2DB2" stRef:documentID="xmp.did:344C9CD4BF5F11EA81FACE294A8E2DB2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>#[B...."IDATx.....@......T<.s....5.@..<......a.....[q...i.4M..+g..$q.....l..q........eEQ...i.O...0TU........IAe.

                                                                    C:\Program Files\douwan\douwan.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):661608
                                                                    Entropy (8bit):6.574877850719651
                                                                    Encrypted:false
                                                                    SSDEEP:12288:JM+jCCPpAV4PzwlMUq+pgjbnDocurwFaA:JM+2YpACElMz+pgjbgwJ
                                                                    MD5:966127E7856D02D9CF7A4F5CCC02E29E
                                                                    SHA1:93C25C6539B9BF90312B340AB65FE8C4D70D8C14
                                                                    SHA-256:B2D67F6811D39574F41203DAE2E108B2729DADBF9BA2943BB526715966B874DC
                                                                    SHA-512:3893472A4FDC3521A8A267CDDED665967578C1A60F5AC82EDD874B4597CC39A70EE9BDF2F7D5A449772A47B5B04A57F22B6DF49C7A31761ED310E5749F167F35
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........u~.e.-.e.-.e.-...-.e.-.;.,.e.-T..-.e.-.;.,.e.-.;.,.e.-.;.,.e.-.8.,.e.-.e.-.e.-Q..,.e.-];.,.e.-.8.,.e.-.e.--e.-];.,.e.-];.,.e.-X;.-.e.-];.,.e.-Rich.e.-................PE..d.....6`.........." .........................................................0............`..........................................G......h................P..........hf... ..,..............................(....................................................text............................... ..`.rdata...$.......&..................@..@.data...p ... ......................@....pdata.......P......................@..@.tls....1...........................@....gfids..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..,.... ......................@..B................................................................................

                                                                    C:\Program Files\douwan\douwanaudio.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):41064
                                                                    Entropy (8bit):7.0517184256181125
                                                                    Encrypted:false
                                                                    SSDEEP:768:YBDBnF909r2F7aMHDHf/ckkMr2F7UceXyHDHf/ckh:imZEZjHo8E/jHt
                                                                    MD5:1A47B789F81A72E464644C64DEDAC0D2
                                                                    SHA1:4E9C5CECA7BF0DD5212C29AAF44148BB0E16EE4C
                                                                    SHA-256:BA3CF1C7661F5B8C4883AB4309BCE1513A87C3AAF1FEA60A6650A626A9FFE338
                                                                    SHA-512:20666B8842F8C58EE06D6AD7DE3D9DE1D07CC2C7B9D25E952DA0EC1B26603A123958173CD0E4C1691F81B0B55ABC91F6734F8DAE13A18317654A22D3DDA2D25B
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-...C..C..C....C.B..C.@..C.F..C.G..C..B..C.8.B..C..B...C.8.F..C.8.C..C.=....C.8.A..C.Rich..C.................PE..d....+.d.........." .........&............................................................`..........................................8.......:..x............`..X....:..hf..........`3...............................3...............0..0............................text............................... ..`.rdata.......0......................@..@.data...P....P......................@....pdata..X....`.......0..............@..@.gfids.......p.......4..............@..@.rsrc................6..............@..@.reloc...............8..............@..B................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\iconengines\qsvgicon.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):41968
                                                                    Entropy (8bit):6.0993566622860635
                                                                    Encrypted:false
                                                                    SSDEEP:768:VPs5g31JfDgej5JZmA0ZsEEC6lmn+4FdDGimUf2hr:VkC31ee7ZmA+sEEC6lmn+4FOUfc
                                                                    MD5:313F89994F3FEA8F67A48EE13359F4BA
                                                                    SHA1:8C7D4509A0CAA1164CC9415F44735B885A2F3270
                                                                    SHA-256:42DDE60BEFCF1D9F96B8366A9988626B97D7D0D829EBEA32F756D6ECD9EA99A8
                                                                    SHA-512:06E5026F5DB929F242104A503F0D501A9C1DC92973DD0E91D2DAF5B277D190082DE8D37ACE7EDF643C70AA98BB3D670DEFE04CE89B483DA4F34E629F8ED5FECF
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.:*..i*..i*..i#.Ei...i...h(..i>..h(..i...h8..i...h-..i...h(..i...h-..i*..i...i...h(..i...h+..i..)i+..i...h+..iRich*..i........................PE..d......_.........." .....@...F.......F..............................................C.....`..........................................g..x...hh..........H...........................xX..T....................Z..(....X..0............P...............................text....>.......@.................. ..`.rdata...3...P...4...D..............@..@.data................x..............@....pdata...............z..............@..@.qtmetadj...........................@..P.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                    C:\Program Files\douwan\imageformats\qgif.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):39408
                                                                    Entropy (8bit):6.0316011626259405
                                                                    Encrypted:false
                                                                    SSDEEP:768:ygk2hM0GskFtvPCjEIxh8eDzFyPddeeGvnhotdDGPUf2he:yN2a05kfPOEMaeDzFkddeFnhotOUfh
                                                                    MD5:52FD90E34FE8DED8E197B532BD622EF7
                                                                    SHA1:834E280E00BAE48A9E509A7DC909BEA3169BDCE2
                                                                    SHA-256:36174DD4C5F37C5F065C7A26E0AC65C4C3A41FDC0416882AF856A23A5D03BB9D
                                                                    SHA-512:EF3FB3770808B3690C11A18316B0C1C56C80198C1B1910E8AA198DF8281BA4E13DC9A6179BB93A379AD849304F6BB934F23E6BBD3D258B274CC31856DE0FC12B
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3..3..3..KA.3..o\..3..X..3..o\..3..o\..3..o\..3.."C..3..3...3.."C..3.."C..3.."C-.3.."C..3..Rich.3..........PE..d...H._.........." .....@...B.......E...............................................^....`..........................................f..t....f..........@............~..............HW..T....................X..(....W..0............P...............................text...k?.......@.................. ..`.rdata..&)...P...*...D..............@..@.data...(............n..............@....pdata...............p..............@..@.qtmetads............v..............@..P.rsrc...@............x..............@..@.reloc...............|..............@..B........................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\imageformats\qicns.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):45040
                                                                    Entropy (8bit):6.016125225197622
                                                                    Encrypted:false
                                                                    SSDEEP:768:vEip0IlhxTDxut3dnm8IyAmQQ3ydJouEAkNypTAO0tfC3apmsdDG9Uf2hU:vxvXxgVIyA23ydJlEATpTAO0tfCKpms/
                                                                    MD5:AD84AF4D585643FF94BFA6DE672B3284
                                                                    SHA1:5D2DF51028FBEB7F6B52C02ADD702BC3FA781E08
                                                                    SHA-256:F4A229A082D16F80016F366156A2B951550F1E9DF6D4177323BBEDD92A429909
                                                                    SHA-512:B68D83A4A1928EB3390DEB9340CB27B8A3EB221C2E0BE86211EF318B4DD34B37531CA347C73CCE79A640C5B06FBD325E10F8C37E0CEE2581F22ABFBFF5CC0D55
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................a....Q........Q......Q......Q......................................Rich...........PE..d......_.........." .....B...N.......G...............................................&....`.............................................t...$...........@...........................xp..T....................r..(....p..0............`...............................text....@.......B.................. ..`.rdata...9...`...:...F..............@..@.data...............................@....pdata..............................@..@.qtmetadx...........................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\imageformats\qico.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):38384
                                                                    Entropy (8bit):5.957072398645384
                                                                    Encrypted:false
                                                                    SSDEEP:768:zBXBEfQiAzC9Oh5AS7a3Z5OGrTDeV9mp7nnsWdDGgYUf2hi/:8JAzuOhy3zOGrTDeV9mp7nnsWjYUfz
                                                                    MD5:A9ABD4329CA364D4F430EDDCB471BE59
                                                                    SHA1:C00A629419509929507A05AEBB706562C837E337
                                                                    SHA-256:1982A635DB9652304131C9C6FF9A693E70241600D2EF22B354962AA37997DE0B
                                                                    SHA-512:004EA8AE07C1A18B0B461A069409E4061D90401C8555DD23DBF164A08E96732F7126305134BFAF8B65B0406315F218E05B5F0F00BEDB840FB993D648CE996756
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.G...G...G...N...C......E...S...E......R......O......D.......B...G...........D.......F.......F.......F...RichG...................PE..d...H._.........." .....4...H.......9....................................................`..........................................h..t...th..........@............z..............(X..T....................Y..(....X..0............P..8............................text....2.......4.................. ..`.rdata..B/...P...0...8..............@..@.data...h............h..............@....pdata...............l..............@..@.qtmetad.............r..............@..P.rsrc...@............t..............@..@.reloc...............x..............@..B................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\imageformats\qjpeg.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):421360
                                                                    Entropy (8bit):5.7491063936821405
                                                                    Encrypted:false
                                                                    SSDEEP:6144:USgOWz1eW38u9tyh6fpGUasBKTrsXWwMmH1l3JM5hn0uEfB4:USPQTnastBRB4
                                                                    MD5:16ABCCEB70BA20E73858E8F1912C05CD
                                                                    SHA1:4B3A32B166AB5BBBEE229790FDAE9CBC84F936BA
                                                                    SHA-256:FB4E980CB5FAFA8A4CD4239329AED93F7C32ED939C94B61FB2DF657F3C6AD158
                                                                    SHA-512:3E5C83967BF31C9B7F1720059DD51AA4338E518B076B0461541C781B076135E9CB9CBCEB13A8EC9217104517FBCC356BDD3FFACA7956D1C939E43988151F6273
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iv"...L...L...L..o....L..xM...L..|M...L.......L..xI...L..xH...L..xO...L..gM...L...M...L..gH.?.L..gI...L..gL...L..g....L..gN...L.Rich..L.........PE..d...o._.........." .....b...........i...............................................g....`.............................................t...............@....`.......R..............h...T.......................(.......0...............@............................text....`.......b.................. ..`.rdata..J............f..............@..@.data...8....P.......(..............@....pdata.......`... ...*..............@..@.qtmetad.............J..............@..P.rsrc...@............L..............@..@.reloc...............P..............@..B........................................................................................................................................................................................

                                                                    C:\Program Files\douwan\imageformats\qpdf.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):26112
                                                                    Entropy (8bit):5.32250911858133
                                                                    Encrypted:false
                                                                    SSDEEP:768:CwEiP1YOYvEWNXvcDFTuL/ZL80lZ7dsgDl:jEiP1YOY8yXvcDFTuL/ZL80lZ7dsgDl
                                                                    MD5:043F65C95409CF107C732ADA97345811
                                                                    SHA1:BC916748148F4D475E6591C442F94EC20AF85929
                                                                    SHA-256:6F5A878610A76EAF931B76E1309E1A850869E85432470CE8E9B6685401B243C8
                                                                    SHA-512:2CFBCAC2C313A6DF0494C504489275AADF3BFA7B890B2804545DF2B37BD89C711EBC362ED0581CE63119BC6C9EBF473A74CE6FE9CC0B070E918DECE2CF211771
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E#...B...B...B...:...B..S7...B..J:...B..S7...B..S7...B..S7...B...2...B...7...B...B...B...7...B...7...B...7`..B...7...B..Rich.B..........................PE..d...DT.e.........." .....&...D......p+....................................................`.........................................PV..t....V..........@...........................XH..T....................J..(....H..8............@..0............................text....$.......&.................. ..`.rdata...,...@.......*..............@..@.data...x....p.......X..............@....pdata...............Z..............@..@.qtmetady............^..............@..P.rsrc...@............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................

                                                                    C:\Program Files\douwan\imageformats\qsvg.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):32240
                                                                    Entropy (8bit):5.978149408776758
                                                                    Encrypted:false
                                                                    SSDEEP:768:uOVKDlJJVlTuLiMtsKVG7TSdDG9Uf2h4e:hVgJVlTuL/tsKVG7TSQUfre
                                                                    MD5:C0DE135782FA0235A0EA8E97898EAF2A
                                                                    SHA1:FCF5FD99239BF4E0B17B128B0EBEC144C7A17DE2
                                                                    SHA-256:B3498F0A10AC4CB42CF7213DB4944A34594FF36C78C50A0F249C9085D1B1FF39
                                                                    SHA-512:7BD5F90CCAB3CF50C55EAF14F7EF21E05D3C893FA7AC9846C6CA98D6E6D177263AC5EB8A85A34501BCFCA0DA7F0B6C39769726F4090FCA2231EE64869B81CF0B
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x>...P...P...P..a...P.&vQ...P..rQ...P.&vU...P.&vT...P.&vS...P.kiQ...P...Q.n.P.kiU...P.kiP...P.ki....P.kiR...P.Rich..P.........PE..d......_.........." .....$...B......D)....................................................`.........................................PU..t....U..........@............b...............G..T....................I..(...PH..0............@..(............................text....".......$.................. ..`.rdata...+...@...,...(..............@..@.data...8....p.......T..............@....pdata...............V..............@..@.qtmetad.............Z..............@..P.rsrc...@............\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\imageformats\qtga.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):31728
                                                                    Entropy (8bit):5.865766652452823
                                                                    Encrypted:false
                                                                    SSDEEP:768:1lGALluUEAQATWQ79Z2Y8Ar+dDG2vUf2hF:TZl/EH8WQ794Y8Ar+hvUfm
                                                                    MD5:A913276FA25D2E6FD999940454C23093
                                                                    SHA1:785B7BC7110218EC0E659C0E5ACE9520AA451615
                                                                    SHA-256:5B641DEC81AEC1CF7AC0CCE9FC067BB642FBD32DA138A36E3BDAC3BB5B36C37A
                                                                    SHA-512:CEBE48E6E6C5CDF8FC339560751813B8DE11D2471A3DAB7D648DF5B313D85735889D4E704E8EEC0AD1084AB43BE0EBDFBACD038AEAC46D7A951EFB3A7CE838EB
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F ._'N._'N._'N.V_.Y'N..HO.]'N.KLO.]'N..HK.M'N..HJ.W'N..HM.\'N..WO.Z'N._'O.4'N..WK.\'N..WN.^'N..W..^'N..WL.^'N.Rich_'N.........................PE..d......_.........." ....."...@.......'..............................................7.....`..........................................W..t...dX..........@.......`....`..............(I..T....................J..(....I..0............@..h............................text...[!.......".................. ..`.rdata...)...@...*...&..............@..@.data........p.......P..............@....pdata..`............T..............@..@.qtmetadu............X..............@..P.rsrc...@............Z..............@..@.reloc...............^..............@..B........................................................................................................................................................................................

                                                                    C:\Program Files\douwan\imageformats\qtiff.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):390128
                                                                    Entropy (8bit):5.724665470266677
                                                                    Encrypted:false
                                                                    SSDEEP:6144:V0jqHiFBaRe0GPAKwP15e7xrEEEEEEN024Rx/3tkYiHUASQbs/l7OanYoOgyV:0qqwP15bx/q7/yyV
                                                                    MD5:9C0ACF12D3D25384868DCD81C787F382
                                                                    SHA1:C6E877ABA3FB3D2F21D86BE300E753E23BB0B74E
                                                                    SHA-256:825174429CED6B3DAB18115DBC6C9DA07BF5248C86EC1BD5C0DCAECA93B4C22D
                                                                    SHA-512:45594FA3C5D7C4F26325927BB8D51B0B88E162E3F5E7B7F39A5D72437606383E9FDC8F83A77F814E45AFF254914514AE52C1D840A6C7B98767F362ED3F4FC5BD
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................E....q............q......q......q......<.............<......<......<......<.)....<......Rich....................PE..d......_.........." .....(..........D-.......................................0............`.............................................t...4...........@........%........... ..(....d..T................... f..(....d..0............@..0............................text....&.......(.................. ..`.rdata...v...@...x...,..............@..@.data...(...........................@....pdata...%.......&..................@..@.qtmetad............................@..P.rsrc...@...........................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................

                                                                    C:\Program Files\douwan\imageformats\qwbmp.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):30192
                                                                    Entropy (8bit):5.938644231596902
                                                                    Encrypted:false
                                                                    SSDEEP:768:EfEM3S46JE2X/xBZ76pC5J6GdDGZUf2h4:63S3JE2PHZ76pC5J6GEUfn
                                                                    MD5:68919381E3C64E956D05863339F5C68C
                                                                    SHA1:CE0A2AD1F1A46B61CB298CEC5AA0B25FF2C12992
                                                                    SHA-256:0F05969FB926A62A338782B32446EA3E28E4BFBFFC0DBD25ED303FAB3404ABAC
                                                                    SHA-512:6222A3818157F6BCD793291A6C0380EF8C6B93ECEA2E0C9A767D9D9163461B541AFAF8C6B21C5A020F01C95C6EE9B2B74B358BA18DA120F520E87E24B20836AA
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<.I.<.I.<.I.D%I.<.I.S.H.<.I.W.H.<.I.S.H.<.I.S.H.<.I.S.H.<.IYL.H.<.I.<.I.<.IYL.H.<.IYL.H.<.IYLII.<.IYL.H.<.IRich.<.I........PE..d......_.........." ..... ...8.......'....................................................`......................................... D..t....D..........@....p..T....Z...............6..T...................p8..(...@7..0............0..p............................text............ .................. ..`.rdata..d&...0...(...$..............@..@.data........`.......L..............@....pdata..T....p.......N..............@..@.qtmetad~............R..............@..P.rsrc...@............T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\imageformats\qwebp.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):510448
                                                                    Entropy (8bit):6.605517748735854
                                                                    Encrypted:false
                                                                    SSDEEP:12288:bPTjgdqdsvh+LrLrLrL5/y4DVHAsqx3hXS+oPZQqRaYG:jT5sMLrLrLrL5q4dAsaOFo
                                                                    MD5:308E4565C3C5646F9ABD77885B07358E
                                                                    SHA1:71CB8047A9EF0CDB3EE27428726CACD063BB95B7
                                                                    SHA-256:6E37ACD0D357871F92B7FDE7206C904C734CAA02F94544DF646957DF8C4987AF
                                                                    SHA-512:FFAEECFAE097D5E9D1186522BD8D29C95CE48B87583624EB6D0D52BD19E36DB2860A557E19F0A05847458605A9A540C2A9899D53D36A6B7FD5BF0AD86AF88124
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................a....s........s......s......s....>.........>......>.....>....>......>....Rich...................PE..d......_.........." .....B..........tH.......................................0......`q....`..........................................W..t....W..........@.......0H........... ......h...T.......................(.......0............`...............................text...[@.......B.................. ..`.rdata..J....`.......F..............@..@.data....'...........X..............@....pdata..0H.......J...\..............@..@.qtmetadv...........................@..P.rsrc...@...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................

                                                                    C:\Program Files\douwan\libEGL.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):25072
                                                                    Entropy (8bit):5.961464514165753
                                                                    Encrypted:false
                                                                    SSDEEP:384:KEyYvsyDQrjwgut4Maw+XZndDGg7Dgf2hU:RvszjwgocwOhdDGEUf2hU
                                                                    MD5:BB00EF1DD81296AF10FDFA673B4D1397
                                                                    SHA1:773FFCF4A231B963BAAC36CBEF68079C09B62837
                                                                    SHA-256:32092DE077FD57B6EF355705EC46C6D21F6D72FBE3D3A5DD628F2A29185A96FA
                                                                    SHA-512:C87C0868C04852B63A7399AFE4E568CD9A65B7B7D5FD63030ABEA649AAC5E9F2293AB5BE2B2CE56A57F2B4B1992AE730150A293ADA53637FC5CD7BE0A727CBD4
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...Xv@.Xv@.Xv@. .@.Xv@.7wA.Xv@.3wA.Xv@.7sA.Xv@.7rA.Xv@.7uA.Xv@W(wA.Xv@.Xw@.Xv@W(sA.Xv@W(vA.Xv@W(.@.Xv@.X.@.Xv@W(tA.Xv@Rich.Xv@........PE..d...#._.........." .........0......................................................Z.....`.........................................`9.......B..d.......H....p.......F.......... ....3..T............................4..0............0...............................text............................... ..`.rdata..r#...0...$..................@..@.data........`.......:..............@....pdata.......p.......<..............@..@.rsrc...H............>..............@..@.reloc.. ............D..............@..B........................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\libGLESv2.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):3385328
                                                                    Entropy (8bit):6.382356347494905
                                                                    Encrypted:false
                                                                    SSDEEP:49152:sU0O89Onk/cNTgO/WSLqfTPnK+9eaOiY95ZEQryD1pPG3L:MaHUKt3L
                                                                    MD5:2247EE4356666335DF7D72129AF8D600
                                                                    SHA1:F0131C1A67FC17C0E8DCC4A4CA38C9F1780E7182
                                                                    SHA-256:50FAD5605B3D57627848B3B84A744DFB6A045609B8236B04124F2234676758D8
                                                                    SHA-512:67F2A7BF169C7B9A516689CF1B16446CA50E57F099B9B742CCB1ABB2DCDE8867F8F6305AD8842CD96194687FC314715AE04C1942B0E0A4F51B592B028C5B16D3
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............t..t..t....t.A.p..t.A.w..t.A.q..t.A.u..t.u..t..u..t...q..t...t..t......t.....t...v..t.Rich..t.........PE..d....._.........." ......&.........L.&.......................................3.......3...`..........................................0..]....0.......3.P.....1.L.....3.......3..;...},.T...................P.,.(... ~,.0.............'..............................text...o.&.......&................. ..`.rdata........'.......&.............@..@.data.........1.......0.............@....pdata..L.....1.......1.............@..@.rsrc...P.....3......J3.............@..@.reloc...;....3..<...P3.............@..B................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\libairplay.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):4863080
                                                                    Entropy (8bit):6.672107118290009
                                                                    Encrypted:false
                                                                    SSDEEP:49152:XFaGNQ/OY88RmfDzO2KZXhFVBKqTMRVZC7q8wZybJoWzyh5dHHac9RQgnuXHP5QE:XFfYAfCZ5HYo7qdusHacbQguXxQOeSpX
                                                                    MD5:E8996B63BA48031BE01D9917C1F8AFED
                                                                    SHA1:1130ECC583F2317AF2B6658E0853365F52EB1B40
                                                                    SHA-256:FFBB79294446633B45ACE6D0DE1A8A60BC1DD163D95A702D7155BB8C365A8635
                                                                    SHA-512:09B9635AE626800DAB619203D85E7EE6DEDACF864392BD938DEEA0D57A9415F5EDD3D0E0935E98316947EA4DF8436ADAD466387BEE46A084A6A60F1D683808C0
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+vKDJ..DJ..DJ..M2..PJ......FJ......MJ......GJ......\J......HJ......@J..)...FJ..)..._J..DJ...K.......H.......J......EJ......EJ......EJ..RichDJ..........PE..d.....!f.........." ....../..h......\.*.......................................M.....p.K...`..........................................|A......|A...... M.......J.......I.hf...0M..c....;.T.....................;.(...p.;.............../..............................text...../......./................. ..`.rdata......../......./.............@..@.data...H9....A.......A.............@....pdata........J......dF.............@..@.gfids..D.....M......dI.............@..@.tls..........M......fI.............@....rsrc........ M......hI.............@..@.reloc...c...0M..d...jI.............@..B........................................................................................................................................

                                                                    C:\Program Files\douwan\libcrypto-1_1-x64.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):3247984
                                                                    Entropy (8bit):6.780174646976775
                                                                    Encrypted:false
                                                                    SSDEEP:49152:wVwASOoTIU6iiNGtlqk1nOh5PhT7jj+AJurfGQ4MXVukmzZJTWA+UqItI8JBP7Ff:T8+fI+yup4sImatF/lK1CPwDv3uFh+I
                                                                    MD5:EC30AF8B370DFDA303AFCBE84A9C99E9
                                                                    SHA1:C10BA98A22204E765EBAC6C8B2FA970B87C0CB41
                                                                    SHA-256:1B97C49C37064DFA1A2DDA16D5403DC95E3C02A49CB17450DE95651400D70237
                                                                    SHA-512:43FD94C603FCAD17D5D8E3E624C57C4A39352877097C3006C15E7106DFFEE0102EAD4FD7458A06000139B7CABA24D11563C1134EF6441210E3DEA07FDB2ABB7A
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........K.D.*...*...*...N...*...N...*...N..:*.._N...*.._N...*.._N...*...N...*...*...*...*...*..gN...(..gN...*..gNU..*..gN...*..Rich.*..........PE..d......^.........." ......"..........e........................................2.....R{2...`.........................................p.,.....x...x.....1......./.\....\1.p3....1..W...I*.T...........................`I*..............."..............................text....."......."................. ..`.rdata........".......".............@..@.data...........0..................@....pdata..\...../.....................@..@.rsrc.........1.......1.............@..@.reloc...W....1..X....1.............@..B........................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\libssl-1_1-x64.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):924528
                                                                    Entropy (8bit):6.353904720871401
                                                                    Encrypted:false
                                                                    SSDEEP:12288:V19//CF9mM9c4S7bB7JoIMEEwC+1WsnMQkTOpg9WAI0TN2A/0s5cI3eremJxHcLG:IC2EEwC7UAIAoJycdrdHcLEOU2lvzkP
                                                                    MD5:6EE31F5AB7DD86BE80B4F4F6807C14B1
                                                                    SHA1:05D5E12FD75F9B8D27597E752AC990C1B0829B72
                                                                    SHA-256:1A30E44A4AD72171BDB208721BD43F4591E76E9CCD28E86089F1625BEBC91FD3
                                                                    SHA-512:872410F37F8A03D7753BB8D1A887522B5BE97B43EE53F8C5704B9718ABD83A8BA8559B289F89A50D05290C4B73F5807CA64EFFDDB3C2BB3750E41391033A4544
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l..e...e...e.......e.......e......Ye.......e.......e.......e.......e..9....e...e...g..9....e..9....e..9....e..9....e..Rich.e..........................PE..d...Y..^.........." .................t.......................................@............`.............................................8@......<............p..........p3... ..........T...........................0...................H............................text...?........................... ..`.rdata..............................@..@.data...`^.......D..................@....pdata.......p.......4..............@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\libyuv.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):574056
                                                                    Entropy (8bit):6.606978606232719
                                                                    Encrypted:false
                                                                    SSDEEP:12288:YLnQFL8HMWtBQrQ8ZkQLMwLt5S8tEBhHPHBdO:YLnQFL8suuIPBdO
                                                                    MD5:6E5EB16A5B7F10D0932D169F0D5429CC
                                                                    SHA1:C359316D3C5DA0C588FC5F3E9BD59AEAC90C7EB2
                                                                    SHA-256:911FA09EFBE09A462C52FFC92B3398E6127777E7792DC521750091E9D1DDBA33
                                                                    SHA-512:81FA2DFF42153197CF6E13966A1DBDA5F10C0F8A584054ECA1AD9B28C6A441F82CED109F70AABB2279ED90D9C743D4CA3FB1612D00A8CDE4600F5088121C9A7B
                                                                    Malicious:false
                                                                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...m)ec.........." .........V......\.....................................................`..............................................%......(............ ...A...\..hf......L...................................`)..8...............`............................text...E........................... ..`.rdata..............................@..@.data...L...........................@....pdata...A... ...B..................@..@.00cfg..(....p.......8..............@..@.gehcont0............:..............@..@.gxfg................<..............@..@.voltbl.1............N.................._RDATA...............P..............@..@.rsrc................R..............@..@.reloc..L............T..............@..B................................................................................................................................................................................

                                                                    C:\Program Files\douwan\mDNSResponder.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):566888
                                                                    Entropy (8bit):6.575655902909786
                                                                    Encrypted:false
                                                                    SSDEEP:12288:mFF88HK0ZnDWRbji8FEqHP2pIINdczUxH2ejEJD1a:mFFldZnDWRSQJP2yIbczUxWejEJg
                                                                    MD5:529EB7D34B947A62F6E17246D164963D
                                                                    SHA1:8CE4DB8F1F7598DA8AFC8745373F8CDD6AAA7D7B
                                                                    SHA-256:16AFF3E6647D782CEB4FB840E486FA4897569AABBE74AF979C4AA066AF67B94D
                                                                    SHA-512:ABBACEE4E4FCC2F17FE0CD8ADF63F4339FFD68FB4BD469E49AE7434B369AC7953F6EE67705146157FFCEA7153D8BFD998DE88C82A7CAF62317107E18389B935F
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........M.X.,...,...,...}...,...}~..,...}A..,....N..,....U..,...,..o,...U...,...U~..,...UB..,...~E..,...,...,...U@..,..Rich.,..........PE..d...>Q.T.........." .................................................................G....`.............................................e...h................p..$H...@..hf......l.......8...........................@s..p...............(............................text...-........................... ..`.rdata........... ..................@..@.data...............................@....pdata..$H...p...J..................@..@.rsrc................0..............@..@.reloc..l............:..............@..B................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\msvcp120.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):660128
                                                                    Entropy (8bit):6.339650318935599
                                                                    Encrypted:false
                                                                    SSDEEP:12288:t2TOv4Zur4nRc4RwlG4xH2F+O+/i2UA3YyB2hxKM5Qrt+e2EKZm+GWodEEwIP:qRhxKM5U2EKZm+GWodEEw4
                                                                    MD5:0A097D81514751B500690CE3FC3223FA
                                                                    SHA1:7983F0E18D2C54416599E6C192D6D2B151A2175C
                                                                    SHA-256:E299B35D1E3B87930A4F9A9EF90526534E8796B0DEF177FB2A849C27F42F1DF2
                                                                    SHA-512:74639F4C2954B5959EB2254544BF2E06AB097219FC8588A4F154D1A369B0657176128C17911958C84ED55421FE89BF98C8ED36D803A07A28A7D4598DB88027CE
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Ca.=...n...n...n..)n...n...n...n.R?n...n..%n...n.R=n...n.R.n4..n.R.nJ..n.R.n...n.R>n...n.R9n...n.R<n...nRich...n........PE..d......V.........." .....@...................................................`.......H....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\msvcp140.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):565640
                                                                    Entropy (8bit):6.489297717161362
                                                                    Encrypted:false
                                                                    SSDEEP:12288:C/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6z/yjQEKZm+jWodm:EN59IW6z/8QEKZm+jWodEEY
                                                                    MD5:CD0C37F1875B704F8EB08E397381AC16
                                                                    SHA1:249D33C43E105A1C36EC6A24E5EF8DBC5F56B31B
                                                                    SHA-256:D86AC158123A245B927592C80CC020FEA29C8C4ADDC144466C4625A00CA9C77A
                                                                    SHA-512:D60C56716399B417E1D9D7D739AF13674C8572974F220A44E5E4E9AB0B0A23B8937BD0929EEE9F03F20B7F74DB008F70F9559A7EB66948B3AFAB5B96BDD1A6D5
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d....(.`.........." .....<...\.......)..............................................".....`A.........................................5..h...(...,............p...9...~...#......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\msvcp140_1.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):23944
                                                                    Entropy (8bit):5.998942809132306
                                                                    Encrypted:false
                                                                    SSDEEP:384:lXt9apR9/u8FON2WWc65gWZTI14gHRN7FBz4UslGsty:lXK79/u8FOEZwFBrN
                                                                    MD5:8AD9C7CFFBB2413F4D5FF9F3AAA1A69B
                                                                    SHA1:2B5116E49AC5913EF8A512A7299E9A459DAB4778
                                                                    SHA-256:18AEF42187072C35B537BE80E3B2DA7CE4919B2C9574ADD19409D98E3026D916
                                                                    SHA-512:D489B82CE896A06CD37905BC5B2FE9620F4E7FEB2A9B77FC93F94E0270B67E7A2F3879AFBA6B546AD44F2EE96F050E83BFC93830010A707126667857BE79028A
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............h...h...h.......h.......h......h......h...h...h......h......h......h...g..h......h..Rich.h..........................PE..d....(.`.........." .........$......................................................Y,....`A........................................P?..L....@..x....p.......`.......:...#......|...@3..T............................3..8............0..0............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata.......`.......0..............@..@.rsrc........p.......4..............@..@.reloc..|............8..............@..B................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\msvcp140_2.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):185736
                                                                    Entropy (8bit):6.539441890812417
                                                                    Encrypted:false
                                                                    SSDEEP:3072:zo8fdbDQ2RAIQSP3cNkquWHSWnwTXsY0YqgwAlrX/Fv1Yq9lrEl:zVZgIQDkgyWnZlfgX/17re
                                                                    MD5:84269806DCE633E56E492EF060FA8F88
                                                                    SHA1:A1E71CB750D25E7A63E0C9D0B01063DF421F1938
                                                                    SHA-256:5FCA695ED2CEFEC010D546310699226EEF4B305DF38CBE3DEA2FDF9494ABC163
                                                                    SHA-512:B25D25A35E6E431BACAF4D5FEA0E40F3FE49CCA14895C64DDBD78C212A2EF0B09B56616154A3D26813E9FAAF3DB1F6BB24A300B5F39B8CE286A41A12F6920EF1
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+...E...E...E.j.D...E......E..A...E..F...E...D...E..D...E..@...E..E...E......E..G...E.Rich..E.................PE..d....(.`.........." ......................................................................`A........................................0...................................#...........K..T........................... L..8...............P............................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\msvcp140_atomic_wait.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):56200
                                                                    Entropy (8bit):5.099650247805685
                                                                    Encrypted:false
                                                                    SSDEEP:768:aHzT4jKmYfXyHSRroXfjNHbd/X/QL3Ns63z:4T4DpSpQNHx/X/QL3N3z
                                                                    MD5:1D2A0D23E35B93464BB5B09E5E4C02B2
                                                                    SHA1:04D1A1EED3868433C5B7652ECAE0FDCD29E1EF39
                                                                    SHA-256:A577B5FC4E3A14AE141657C30A38D11FF8593135E51E55485B252EB821D47E75
                                                                    SHA-512:18A0DB760E4C4D9C4E014CFF5EE0F433B298B65FDECA95B8F5F172B9BC534A1C7F64A1B2751B90E89CF76F41EE1AB468415466D2A657905ECA9835E41CAE264E
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7`.#s..ps..ps..p.q.qw..pzy&pu..p!t.q{..p!t.qp..ps..p...p!t.qt..p!t.qo..p!t.qr..p!tJpr..p!t.qr..pRichs..p........PE..d....(.`.........." .....:...........>.......................................@............`A.........................................f..D...Tk....... ..0.......P........#...0..x... W..T............................W..8............P..@............................text....9.......:.................. ..`.rdata..n$...P...&...>..............@..@.data...........B...d..............@....pdata..P...........................@..@.rsrc...0.... ......................@..@.reloc..x....0......................@..B................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\msvcp140_codecvt_ids.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):20360
                                                                    Entropy (8bit):6.113539156200981
                                                                    Encrypted:false
                                                                    SSDEEP:384:3Yp02YGv8EWiwEWk14gHRN7PwlX7aJdlGsMIm:3Y02YGvsaPe7aJGD
                                                                    MD5:4266E7BB9BFCE998083D2F4F938B11C9
                                                                    SHA1:23FC9C4C9DE9FD3E71941DF86E26C4DD44F2A95B
                                                                    SHA-256:E1EE6D29E30708AD5812035626BBC1058EA12FD5503D5A79D28C9CB67FAB4A14
                                                                    SHA-512:5DC1E769F973AEC3F0F766AD7C2364A184B9F71C1266F5E5A874C3E63CA7082E9A2C38346D387AA516E2F23ACAAF62979434819697B2695644883CE07BBFD867
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P.N.P.N.P.NE .O.P.N.(4N.P.N.P.N.P.N.%.O.P.N.%.O.P.N.%.O.P.N.%.O.P.N.%.O.P.N.%XN.P.N.%.O.P.NRich.P.N................PE..d....(.`.........." ................@........................................p......C.....`A........................................P(..0....)..P....P..0....@.......,...#...`..(....!..T............................!..8............ ...............................text...X........................... ..`.rdata....... ......................@..@.data........0....... ..............@....pdata.......@......."..............@..@.rsrc...0....P.......$..............@..@.reloc..(....`.......*..............@..B........................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\msvcr120.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):963744
                                                                    Entropy (8bit):6.63341775080164
                                                                    Encrypted:false
                                                                    SSDEEP:24576:lQ39+j16xw/86yY4ZOVqSs8cKPkb3vi4vwW1kCySQmWymTXY:S3tPDLfRbiow9Cyo
                                                                    MD5:E2CA271748E872D1A4FD5AC5D8C998B1
                                                                    SHA1:5020B343F28349DA8C3EA48FB96C0FBAB757BD5C
                                                                    SHA-256:0D00BF1756A95679715E93DC82B1B31994773D029FBBD4E0E85136EF082B86A9
                                                                    SHA-512:85D6BCAAF86F400000CF991DA1B8E45E79823628DC11B41D7631AA8EE93E500E7DA6E843EA04EDB44D047519DABEF96DCB641ADC2A7B3FAA5CD01E8A20B1F18E
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'SuSu.u_'SuSu.u_'SuSu.u_'SuRich^'Su........PE..d......V.........." .....j...:.......)..............................................+l....`.....................................................(............@...s...v...>......8...p................................2..p............................................text...eh.......j.................. ..`.rdata...9.......:...n..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................`..............@..@.reloc..8............d..............@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\msvcrt.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):638072
                                                                    Entropy (8bit):6.626441891781328
                                                                    Encrypted:false
                                                                    SSDEEP:12288:gny4RhFjQJ/OuZWqeBChLrk8c0GA3wqV6syopxSOmVy6GsCoMo5b:4ywQV3eBWLgsGAg+6syopRmVy6GsChoR
                                                                    MD5:36354D9B5B0A58A4B9A19103852C00A2
                                                                    SHA1:0EA4B3CFB14E49CEC0D42FF0F1FA989E69647A8F
                                                                    SHA-256:E5A863D3F4BFEFED7D73A7B1499F81B7235BC9AE3C108065041BCB8E5446B1BB
                                                                    SHA-512:CAAAFF8E904F8DD24CE12DFD8FDF23AC54F4BF630A8535B1B575BF3890A51BCE82BCE145D001FB18B65F30BEDB9FC863CF61DD69D446DDF5BFFD64BC06AE1FB4
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................U................................................._.....9.............Rich............PE..d................" .....L...Z.......x...............................................Y....`A........................................@i...l..0................p..\F......x8.......... ...T....................n..(....m...............n...............................text....J.......L.................. ..`.rdata.......`.......P..............@..@.data....{.......V..................@....pdata..\F...p...H...2..............@..@.rsrc................z..............@..@.reloc...............~..............@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\opengl32sw.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):20949608
                                                                    Entropy (8bit):6.259064834406153
                                                                    Encrypted:false
                                                                    SSDEEP:393216:jIckHor5uLnn83wAP5hxOZEa7/LzRuDFqILn5LgcKyZyQXt+8Ms:KEZbvT
                                                                    MD5:C8EBA2CC4CA68565D5602D98D559B416
                                                                    SHA1:0426031495C366C327E518CD51B895F4F3F136AA
                                                                    SHA-256:4A73400E653E13B72FE46528FE14FA8FA802AD81C70A4AF4A498AF7603456113
                                                                    SHA-512:BA35AF4EA79F79C853DE9AAE63D78DDA3CFB3BC5D572050DE121F7AC4610F16A7F09DE26B6E321A415E3067315A5A0329F90ED9616FC69CD5D4EF7C41D7DADED
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@..............'.......'.......'..[...........|.-.....|.+.*...|.*.<....'......../.....q.*.....q.+....q.&.^...q.......q.,.....Rich............PE..d....._W.........." .....(....b.....|&....................................... E.......?...`.........................................0.1.t.....1...............9.`n...D?.hf....C..k.. . .T..................... .(..... ..............@...............................text...T&.......(.................. ..`.rdata..XvO..@...xO..,..............@..@.data....;....1.......1.............@....pdata..`n....9..p...D3.............@..@.gfids.......pC.......=.............@..@.tls..........C.......=.............@..._RDATA........C.......=.............@..@.reloc...k....C..l....=.............@..B................................................................................................................................................

                                                                    C:\Program Files\douwan\platforms\qwindows.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1477104
                                                                    Entropy (8bit):6.575113537540671
                                                                    Encrypted:false
                                                                    SSDEEP:24576:4mCSPJrAbXEEuV9Hw2SoYFo3HdxjEgqJkLdLu5qpmZuhg/A2b:nPlIEEuV9Hw2SFFWHdWZsdmqja/A2b
                                                                    MD5:4931FCD0E86C4D4F83128DC74E01EAAD
                                                                    SHA1:AC1D0242D36896D4DDA53B95812F11692E87D8DF
                                                                    SHA-256:3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
                                                                    SHA-512:0396BCCDA43856950AFE4E7B16E0F95D4D48B87473DC90CF029E6DDFD0777E1192C307CFE424EAE6FB61C1B479F0BA1EF1E4269A69C843311A37252CF817D84D
                                                                    Malicious:false
                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.%.9.....q.,......8......%......)......+...9......9..,......)..........9..8...-..........d......,.....I.,......,...Rich-...........PE..d....._.........." .....,...h......4+..............................................n.....`.............................................x...(...........H............n..........X....r..T...................Pt..(... s..0............@...5...........................text..._+.......,.................. ..`.rdata.......@.......0..............@..@.data....m...@...D...(..............@....pdata...............l..............@..@.qtmetad.............J..............@..P.rsrc...H............L..............@..@.reloc..X............P..............@..B........................................................................................................................................................................

                                                                    C:\Program Files\douwan\plugins\64bit\win-wasapi.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):59496
                                                                    Entropy (8bit):6.785827139909573
                                                                    Encrypted:false
                                                                    SSDEEP:768:86bBUGLDGA2gX+DuCCYVQN2PbSKDcr2F7+THDHf/ckFSr2F7XRJHDHf/cke:vLDGCOxVfPZDsE+jHpCEbjHi
                                                                    MD5:57793518C2166B2505C67A7568D92E50
                                                                    SHA1:1512223733E0335B61BBB7EBA93BB5BC2B3252A6
                                                                    SHA-256:74BCC6A590FDCAEC2531AC98A8298613BFF3A236B5847CFE5C234794E31F8F6F
                                                                    SHA-512:B750311F7DC7BE1ABAA6707E0D80B117716A193C35B2454765A40B3C1A90E99AFBC7280A9C89D2FA7F45BF6CC476400581CD9FB6DE4DF05C2EA7D1B3A2032FEE
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#.].M.].M.].M.T...[.M.....\.M.f.N._.M.f.H.R.M.f.I.V.M.f.L.Y.M.0.J.\.M.0.L.Y.M..L.^.M.].L...M..H.^.M..M.\.M....\.M..O.\.M.Rich].M.................PE..d.....6`.........." .....D...@......<@....................................................`.....................................................................p.......hf......D... m..............................@m...............`...............................text....B.......D.................. ..`.rdata...*...`...,...H..............@..@.data...@............t..............@....pdata..p............v..............@..@.gfids..,............|..............@..@.rsrc................~..............@..@.reloc..D...........................@..B................................................................................................................................................................................

                                                                    C:\Program Files\douwan\plugins\64bit\xindawn-audio.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):41064
                                                                    Entropy (8bit):7.0183589350740565
                                                                    Encrypted:false
                                                                    SSDEEP:768:MuK+53Gpga2ir2F7esHDHf/ckcr2F7O10HDHf/ck+:bJDyEBjHgEO+jH6
                                                                    MD5:EADC4551B5C6C97504BA6EB8A008A1CA
                                                                    SHA1:F9D61AB0F0A0C94FD3259269FC7D18B51B64EF7F
                                                                    SHA-256:FB41642E4CAEC3F372C78167C2E18F6C000C6E9BADAB1C4005AAF8C310BA0A21
                                                                    SHA-512:4414ECDB928A01CB9897058092EBCE94D56AE007C03CCA1CA9F8F5D52C508C46AFEF63A157EEAEA82A2DF271F6E1017820068DA0EB5D1DD07C62A562C126A5F0
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i..K-cq.-cq.-cq.$...)cq..=p./cq..=r.,cq..=t.=cq..=u.%cq.@>p./cq...p./cq..=p..cq.-cp..cq..=t..cq..=q.,cq..=..,cq..=s.,cq.Rich-cq.........................PE..d.....6`.........." ......... ......l....................................................`.........................................0<...... =...............`.......:..hf......H...03..............................P3...............0...............................text...n........................... ..`.rdata..j....0......................@..@.data........P......................@....pdata.......`.......0..............@..@.gfids..,....p.......4..............@..@.rsrc................6..............@..@.reloc..H............8..............@..B................................................................................................................................................................................

                                                                    C:\Program Files\douwan\plugins\64bit\xindawn-output.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):39528
                                                                    Entropy (8bit):7.048226351800679
                                                                    Encrypted:false
                                                                    SSDEEP:768:uIdn1D4ar2F7auFHDHf/ck5r2F7mPuHDHf/ckXj:uQn1nELjHBEfjHjj
                                                                    MD5:8EB3B8AE485A641FED75F6901862C286
                                                                    SHA1:8C7233F7C96309C1E568F530F98F7AE229D01003
                                                                    SHA-256:2DE46CE09C116E966A393352C5D22F6FDBE43F340FBA1DA20109CEFE567D87F7
                                                                    SHA-512:4E403CA2052093DFAA842AF4F7A5C0E53AA91DA72863237F7B7D211E37B04EE3ACC3ABA644E09388C78D8D189878B7DD1F8F49B7CFBA64BD9E0D064D872C8E21
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(xc.l...l...l...ea..h...WG..n...WG..m...WG..g...WG..d....D..n....G..o...l..._....G..n....G..m....G..m....G..m...Richl...........................PE..d.....6`.........." ................d.....................................................`..........................................7.......8..x....p.......P..(....4..hf...........2...............................2...............0...............................text...s........................... ..`.rdata..(....0......................@..@.data........@.......(..............@....pdata..(....P.......*..............@..@.gfids.......`......................@..@.rsrc........p.......0..............@..@.reloc...............2..............@..B........................................................................................................................................................................................

                                                                    C:\Program Files\douwan\restful\api.html

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:HTML document, Unicode text, UTF-8 text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):25451
                                                                    Entropy (8bit):4.958527493981565
                                                                    Encrypted:false
                                                                    SSDEEP:192:qEIPgRMintJDnUaejzFgpEGSPQlgFKmlZBJCt8qOddAzNL/R//g0/G/BpedDOo:qRP+zUauGS5ZjCt4ds/N/3/G/Bp6DOo
                                                                    MD5:9D47AAA97DC269DE3F1CD84B1086738E
                                                                    SHA1:292E169143F4FFB6B6F543F28FA0B365EF823998
                                                                    SHA-256:F9D4BAD40B618B34FB6C8B0F9B3E60A42F5FDDA2E20BE72E8E48F08E1314FC06
                                                                    SHA-512:D2AD6DB235A7218A4F0F042A53D43AD59FF142987C0F2ABF132F070125F32A8D175D5785DEBAE7A7FAF3D0C8464A37BAAE80B690ACB131DDF9CE964AA0B6BCB1
                                                                    Malicious:false
                                                                    Preview:<html>....<head>.. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">.. <link href="https://cdn.staticfile.org/layui/2.8.3/css/layui.min.css" rel="stylesheet">.. <script src="https://cdn.staticfile.org/layui/2.8.3/layui.js"></script>.. <script src="https://cdn.staticfile.org/axios/1.4.0/axios.min.js"></script>.. <script type="text/html" id="deviceAction">.. <div class="layui-clear-space">.. <a class="layui-btn layui-btn-xs" lay-event="detail">..</a>.. <a class="layui-btn layui-btn-xs" lay-event="snapshot">..</a>.. <a class="layui-btn layui-btn-xs" lay-event="transform">....</a>.. <a class="layui-btn layui-btn-xs" lay-event="windowtitle">......</a>.. <a class="layui-btn layui-btn-xs" lay-event="mouse">.. .... </a>.. <a class="layui-btn layui-btn-xs" lay-event="ctrl">.. .. .. <i class="layui-icon layui-icon-do

                                                                    C:\Program Files\douwan\restful\api.js

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):3816
                                                                    Entropy (8bit):4.284408417330004
                                                                    Encrypted:false
                                                                    SSDEEP:24:0MkrLE8fld9WzT73NYFOVo8DNPNozooODidnpYzyoORQOvUItofTM7NoKXWfMWZ+:0MkEQCT73BVo8Bridp2FpTOGfJjPfJi
                                                                    MD5:F58EF6AAA2127E152F4A52611B946313
                                                                    SHA1:FC039611A6BB9A57836CDB9889864D60C2EFED37
                                                                    SHA-256:1806F2954A725C496990D868C330665CE019181E52727300F716693AA854E78E
                                                                    SHA-512:4E241C21CCF82B48149A5D8E644C0081B3F4E03906DE518791DCFB96C08F006C724B9475AD464E1975F35F95ED3DAB94217D136B1E4E6699D36633D754291B38
                                                                    Malicious:false
                                                                    Preview:axios.defaults.crossDomain = true..axios.defaults.headers.common = {}....export const DouWanRestfulCtrl = {.. Back: 'back',.. Home: 'home',.. Power: 'power',.. Notify: 'notify',.. AppSwitch: 'appswitch',.. PointMode: 'pointmode'..}....export const DouWanRestfulMouse = {.. Click: 'click',.. Swipe: 'swipe',.. Scroll: 'scroll',.. Press: 'press',.. Release: 'release',.. Move: 'move'..}....let s_service = null....export class DouWanRestfulService {.. apiHostPort = ''.... static get defaultService() {.. if (null == s_service) {.. s_service = Object.seal(new DouWanRestfulService()).. }.. return s_service.. }.... apiUrl(path) {.. return this.apiHostPort + "/api" + path.. }.... async deviceInfo(uuid) {.. let data = {.. dev_uuid: uuid.. }.. let resp = await axios.post(this.apiUrl('/device/info'), data) .. return resp.data.. }.... async deviceSnapShot(uuid, cro

                                                                    C:\Program Files\douwan\restful\help.html

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:HTML document, Unicode text, UTF-8 text, with very long lines (549), with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):27380
                                                                    Entropy (8bit):4.550000148693941
                                                                    Encrypted:false
                                                                    SSDEEP:768:S5GZ3LelOe7DtWl8hhMbx7KubDxTR77wm4+:htL/e7DtWl+ax7Kup97w2
                                                                    MD5:DB6B4AD596456C40894152C1DE819237
                                                                    SHA1:61AA483132B8FF79A59095F98779956308F73AD9
                                                                    SHA-256:CC5CCDCF7CA7E89D4BAD896DB7849A1EB687F9113A26D4F2BD18DD533FF46BA2
                                                                    SHA-512:983E2FA0458B2274F881F8164FD491F8EE7F512DC5852185AF4AD2C99076E6FE140127D5C3E02D517B21C025277DC819C76820506F32748B3DBB4E6AA2A7A685
                                                                    Malicious:false
                                                                    Preview:<html>....<head>.. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">.. <link href="https://cdn.staticfile.org/layui/2.8.3/css/layui.min.css" rel="stylesheet">.. <script src="https://cdn.staticfile.org/layui/2.8.3/layui.js"></script>.. <style>.. .panel-left {.. display: inline-block;.. width: 200px;.. padding: 16px;.. }.... .panel-right {.. display: inline-block;.. width: 700px;.. padding: 16px;.. vertical-align: top;.. }.. </style>.. <script>.. layui.use(() => {.... let apiDocs = [.. {.. grpName: "...",.. items: [.. {.. key: "device_info",.. menuItem: "..",.. desc: "......",.. url: "/api/device/info",..

                                                                    C:\Program Files\douwan\styles\qwindowsvistastyle.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):144368
                                                                    Entropy (8bit):6.294675868932723
                                                                    Encrypted:false
                                                                    SSDEEP:3072:rrjwZ43rCOtrBk7wcR0l7wBlaL6BtIEt51T0Nhkqg8FoQY:7hZu9R0l7wFBtIEt51T0Nuqg8JY
                                                                    MD5:53A85F51054B7D58D8AD7C36975ACB96
                                                                    SHA1:893A757CA01472A96FB913D436AA9F8CFB2A297F
                                                                    SHA-256:D9B21182952682FE7BA63AF1DF24E23ACE592C35B3F31ECEEF9F0EABEB5881B9
                                                                    SHA-512:35957964213B41F1F21B860B03458404FBF11DAF03D102FBEA8C2B2F249050CEFBB348EDC3F22D8ECC3CB8ABFDC44215C2DC9DA029B4F93A7F40197BD0C16960
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R._...1]..1]..1]..]..1]..0\..1]..5\..1]..2\..1]..4\..1]..0\..1]..0\..1]..0]..1]..4\..1]..1\..1]...]..1]..3\..1]Rich..1]........................PE..d...`._.........." .....\...........`.......................................`......wJ....`................................................. ........@..X.... ...............P.........T...................`...(...0...0............p...............................text....Z.......\.................. ..`.rdata......p.......`..............@..@.data...............................@....pdata....... ......................@..@.qtmetadm....0......................@..P.rsrc...X....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

                                                                    C:\Program Files\douwan\swresample-3.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):132712
                                                                    Entropy (8bit):6.883208385702765
                                                                    Encrypted:false
                                                                    SSDEEP:1536:Cv/8TdUm4uYbM63engZpKj6tO2OgPPWg3msOq6LNtJLcKS2zmcIePHNEtjHOE3Tc:Y32gZpKjlg12sObHJwj2zWePtajuYTjw
                                                                    MD5:09EF2883A1861A9F94D1EBC70C870DC9
                                                                    SHA1:B750F98170F1485CB888E6BA32BCD42AF61FA4B9
                                                                    SHA-256:A95D5FCDAFA91B2F2C41501C1BBF7D5ECD836CC195678984554550E7F101223C
                                                                    SHA-512:578C0CEE0CDD43EE046026A43592A5B0DAC87F1FC89E20DC46B69AFEC2D8902FFA6E9EE912EE7CF38409443B986EDDFD05C3FE1BEF2C39828012D39CD38C0652
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Fp4.'.g.'.g.'.g._.g.'.g.O.f.'.g.A.f.'.g.O.f.'.g.O.f.'.g.O.f.'.gqN.f.'.g.'.g.'.g.'.g.'.gqN.f.'.gqN.f.'.gqN.f.'.gRich.'.g........PE..d...d.4`.........." .....0...r...... 5..............................................!.....`A...........................................................................hf..............T...........................p................@..0............................text..../.......0.................. ..`.rdata...\...@...^...4..............@..@.data...8...........................@....pdata..............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\swscale-5.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):441448
                                                                    Entropy (8bit):6.774648618314009
                                                                    Encrypted:false
                                                                    SSDEEP:12288:VIXGEIB7ueZDs0PdOvO2Z4kgfIi+FJeQtkadmPKb:VIXGEIB7uYlOCkgfIi+FJeQtkkmPKb
                                                                    MD5:8EF0D25DEA268F75A17E9CA10CF13842
                                                                    SHA1:1E987C7D4C4D6DC48AAC9DEC03A3723C2D08183C
                                                                    SHA-256:F5F96073FCC01A7F87DB9F4503DADB3BC9A683BF2B8B1C916AEFA390C47B1838
                                                                    SHA-512:A71AB73ECF8A6F8182E59963E7F54A130E0069819E4DB2BCADFEDEDFAFA241F0B1908C1467F32B1025D3ABC0F5AECE2BE9FC8E80074300FFC6516617D8BD0BFB
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........p>...m...m...m...m...m...l...m...l...m...l...m...l...m...l...mf..l...m...m...m...m...mf..l...mf..l...mf..l...mRich...m........................PE..d...f.4`.........." ......................................................................`A.........................................C.......G.......................V..hf......4...00..T............................0...............................................text............................... ..`.rdata..$_.......`..................@..@.data...p....P.......8..............@....pdata...............:..............@..@.reloc..4............T..............@..B........................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\translations\qt_ar.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):160017
                                                                    Entropy (8bit):5.356034639583569
                                                                    Encrypted:false
                                                                    SSDEEP:1536:XGlAMfkX1M0RdaCkR8lfv8vtc8EFrVYA2I4AJZWEWgHg1C8COvzLKHC6Jp9NV0V7:XUr0RACkIwDEpV1Lgf16btw3Bb
                                                                    MD5:257BCE0D43476FF6548F7D9D2C3A5809
                                                                    SHA1:3D7B581860C381FC5644F739850F4C126F27838D
                                                                    SHA-256:C14EBFAA0FECB341B43ED2179DF9372D27AD20A15BAFB9F5403D57838AE1D88A
                                                                    SHA-512:051C71E4D105B082D169C5B57D2B6CFC093D174A649A0B4D42FD226B808C9FEDB51A8CED6D5CB5DB7F4FCCE29419EC068D473B7FF7B8E15B9F8A82D32B73BE00
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......arB..2....*.......+.......@.......A.......B..._...C......D.......E......F.......G... ...H...D...I...h...P...C...Q...g...R......S.......T.......U.......V...x...W......X.......Y.......]..'=...s......t...........]...........;..'....;..(....;.......;.......M..'e...O.......O...9...........}..'........C...=......m..'....t..........!o..(5...Z..+;..5u..+;..c...+O......1...!...D@...8..E@.....H4...,..HY..QI..H.......IC......J....1..J.......J.......LD......L.......PS......QR...R..R...V2..T.......U....]..X.......Zr.....[`......\....t..]x......_......._.......yg......1...6....E..8V..............C............................$..RN...[...0...,.......y.......y...................K...........9..R....E.."............z.......................%..F;...D...[..................................!....5.......0...I...0.......0...5...0..#....5.......5...p..............W}.. D..(... D..P=..+.......<U......<U......<.......H5..(...H5..P...L.......VE......VE......V....B..f...JJ..f.......f.

                                                                    C:\Program Files\douwan\translations\qt_bg.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):165337
                                                                    Entropy (8bit):5.332219158085151
                                                                    Encrypted:false
                                                                    SSDEEP:1536:9ULiyUxPoT6qx+J7FJlaaMJnxjqxq+0Uiff0mbVeb7wiEwYuYqDKBkKHMXHCIMll:9ULpIVFnpwUiEujw27ncUQUz
                                                                    MD5:660413AD666A6B31A1ACF8F216781D6E
                                                                    SHA1:654409CDF3F551555957D3DBCF8D6A0D8F03A6C5
                                                                    SHA-256:E448AC9E3F16C29EB27AF3012EFE21052DAA78FABFB34CD6DFF2F69EE3BD3CDB
                                                                    SHA-512:C6AE4B784C3D302D7EC6B9CE7B27DDAF00713ADF233F1246CD0475697A59C84D6A86BAA1005283B1F89FCC0835FD131E5CF07B3534B66A0A0AA6AC6356006B8F
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......bg_BGB../....*..,....+..."...@...]...A.......B.......C.......D...P...E...!...F.......G.......H.......I.......P.......Q.......R...A...S...e...T.......U.......V.......W...1...X...U...Y...y...]..,....s...,...t...................P...;..+....;..-E...;..!....;..+....M..,Y...O...,...O...........*...}..,............=...Q...m..,....t...|......>...(5..1...+;..<...+;..o...+O...r..1...>...D@......E@......H4......HY..[...H.......IC......J....E..J....X..J.......LD......L....L..PS......QR.."...R...`...T....X..U.......X.......Zr...q..[`...`..\.......]x......_......._....T..yg.....1...=....E..?...............L(.......(...............'...$..\....[.......,...I...y...!...y...................S...........9..]%...E..5p...........z..!q...................%..O....D..................D.....8......:......?....5...&...0.......0.. ....0...c...0..5....5.......5..................b:.. D..-... D..Z...+.......<U......<U...0..<.......H5..-...H5..[...L.......VE..#a..VE..;...V.......f...T...f...!..

                                                                    C:\Program Files\douwan\translations\qt_ca.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):210126
                                                                    Entropy (8bit):4.665314011804837
                                                                    Encrypted:false
                                                                    SSDEEP:3072:GQKRldlzfzvZfeW+6kXEVjSVPzC3ceKdP2:aff7UW+WjwP2
                                                                    MD5:1D351670EA821DB3BBB5AEE0AD186F10
                                                                    SHA1:AC0548EB87E7E4A12A604523713E5B08DF88FB50
                                                                    SHA-256:235F502810D5750A47421D3E57620DCAE5CFCFD83BC97766AD8B99B75238A544
                                                                    SHA-512:7A769F0C0858C25EBBBDD25C7308523ED298E35E2B5533981967773CF7D08899D81D05D34D67567BB48FB0DE21B3CE9C9D83866EC701DC841F8B430EADB43E29
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......caB..7....*.......+.......@..:/...A..:S...B..:....C..:....D..;....E..;....F..<9...G..<]...H..<....I..<....P..>....Q..>....R..?....S..?1...T..?U...U..?y...V..?....W..?....X..@....Y..@?...]../....s..1....t..........2R......#O...;.......;../....;..W....;..e....M../3...O.......O..9.......Jy...}../]......8....=..9....m../....t..98.......2..(5..l!..+;.._...+;......+O..U...1.......D@..:w..E@..>...H4...)..HY..~...H...!...IC......J....6..J....0..J.......LD.. ...L...!E..PS..)...QR.."...R.......T...9]..U...9...U...z...X...>s..Zr..E...[`...D..\...L#..]x..74.._......._...M...yg..fi..1...a....E..c....7...k......U.......p........A...............*...$.......[.......,.......y.......y...................=...........9...:...E...R...... ....z..":.......d......!....%..tQ...D.."......."......2......vD.....y...........5..#'...0...;...0..W....0..'....0......5..(g...5...a......)R.......... D..0w.. D..}...+...1...<?..5W..<U......<U..5...<...6...H5..0...H5..~...L...9...VE..$...V...S5..f.

                                                                    C:\Program Files\douwan\translations\qt_cs.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):174701
                                                                    Entropy (8bit):4.87192387061682
                                                                    Encrypted:false
                                                                    SSDEEP:3072:5WjuhX0CVRaakGjW9E8SSOQfX/JlwVOMxrboRPqWxXfQvO7zjBf:5iFGj1QfXr8Gd
                                                                    MD5:C57D0DE9D8458A5BEB2114E47B0FDE47
                                                                    SHA1:3A0E777539C51BB65EE76B8E1D8DCE4386CBC886
                                                                    SHA-256:03028B42DF5479270371E4C3BDC7DF2F56CBBE6DDA956A2864AC6F6415861FE8
                                                                    SHA-512:F7970C132064407752C3D42705376FE04FACAFD2CFE1021E615182555F7BA82E7970EDF5D14359F9D5CA69D4D570AA9DDC46D48CE787CFF13D305341A3E4AF79
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......cs_CZB..3p...*..F....+.......@..!....@..Ef...A..!....A..E....B.."1...B..E....C.."U...C..E....D.."....D..F....E..#p...E..F)...F..#....F..FP...G..#....G..Fw...H..$....H..F....I..$6...I..F....P..&%...P..Gr...Q..&I...Q..G....R..&....R..G....S..&....S..H....T..&....T..H8...U..'....U..H_...V..'Z...V..H....W..'~...W..H....X..'....X..H....Y..'....Y..H....]..,....]..,....s.......t...9...............*...;.......;..+....;..1B...;......;..?x...;..N....;..iY...;..s3...M..,B...M..,....O.......O...w...O..rr...........}..,j...}..-....... 5...=.. ....m..,....m..-8...t.. .......ay..(5..TT..+;...A..+;..B...+;..u...+O......+O..=a..1...a...D@.."...E@..&m..E@..G...F...J...H4...=..HY..`...H.......I...J...IC......J....-..J.......J.......LD......L....(..PS.....QR.."S..R...e...T.... ..U......X.......Zr...g..[`......\......]x......_......._......._...v...yg......1...C....E..E...............=.......Q........................s...$..a....[.......,.......y.......y...y..............G..........

                                                                    C:\Program Files\douwan\translations\qt_da.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):181387
                                                                    Entropy (8bit):4.755193800761075
                                                                    Encrypted:false
                                                                    SSDEEP:3072:XzswP2UvZ5aZ9jFTkmq/gnBNW/+PcWrqm2Vliz0DGdaS4KSLZjwTTgwUR0toT:j3m27AjCT
                                                                    MD5:859CE522A233AF31ED8D32822DA7755B
                                                                    SHA1:70B19B2A6914DA7D629F577F8987553713CD5D3F
                                                                    SHA-256:7D1E5CA3310B54D104C19BF2ABD402B38E584E87039A70E153C4A9AF74B25C22
                                                                    SHA-512:F9FAA5A19C2FD99CCD03151B7BE5DDA613E9C69678C028CDF678ADB176C23C7DE9EB846CF915BC3CC67ABD5D62D9CD483A5F47A57D5E6BB2F2053563D62E1EF5
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......daB..4....*..h....+......@...f...A.......B.......C.......D...U...E.......F...v...G.......H.......I.......P.......Q.......R...6...S...Z...T...~...U.......V.......W..."...X...F...Y...j...]..+....s.......t..................-...;..+....;..,....;../....;..;....M..+....O.......O...r...........}..,............=...8...m..,0...t...c......T...(5..B...+;..NH..+;..~H..+O..,...1...UP..D@......E@......H4...E..HY..j...H.......IC...#..J....J..J.......J.......LD......L....1..PS...B..QR......R...o...T.......U.......X.......Zr......[`...W..\....}..]x...[.._....-.._.......yg...e..1...O....E..R....7..........-!......]............................$..k....[...7...,.......y...c...y.................j4...........9..l8...E..p............z...;..................%..a....D...~.............-.....L......OH.....Uz...5.......0.......0...U...0.......0..p....5...7...5..L$..............p... D..-... D..i...+....@..<U.....<U.....<....S..H5..-2..H5..j$..L....B..VE.. ...VE..P...V...*...f...e...f.

                                                                    C:\Program Files\douwan\translations\qt_de.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):220467
                                                                    Entropy (8bit):4.626295310482312
                                                                    Encrypted:false
                                                                    SSDEEP:3072:7w8go8+ph6JVB8XVXYWpSNEeg8+vaD+p4N8DDiEKugwGZulh15ce4M+4NsPYXCZW:88h8Sj286tTiDD
                                                                    MD5:40760A3456C9C8ABE6EA90336AF5DA01
                                                                    SHA1:B249AA1CBF8C2636CE57EB4932D53492E4CE36AC
                                                                    SHA-256:553C046835DB9ADEF15954FA9A576625366BA8BFD16637038C4BCD28E5EBACE1
                                                                    SHA-512:068E55F39B5250CC937E4B2BD627873132D201D351B9351BE703CD9B95D3BAFB4BD649CB4DF120A976D7C156DA679758D952CAC5E0523107244E517D323BC0C5
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......de_DEB..7....*.......+..3....@..R....A..R....B..S....C..S@...D..S....E..T]...F..T....G..T....H..T....I..U#...P..W....Q..W6...R..W....S..W....T..W....U..W....V..XG...W..Xk...X..X....Y..X....]..2%...s..J$...t..9R......J.......B....;..1....;..3....;..q....;.......M..2O...O.......O..X@......ia...}..2y......Q....=..Q....m..2....t..Q...........(5......+;..ev..+;......+O..oh..1....4..D@..R...E@..WZ..H4..4...HY...[..H...AY..IC..>o..J...>...J.......J...>6..LD..@A..L...@...PS..I...QR..#...R....h..T...W...U...Xh..U....~..X...]...Zr..e(..[`..)...\...j...]x..O..._....K.._...lI..yg...U..1...f....E..i....7..........o.......wG......6.......6.......8....$...n...[..8....,..9....y.......y..=................3......>....9.......E..."......?_...z..#d.......0......A%...%..z....D..A.......B......KP......2.............^...5..B....0.......0..p....0..F....0...}...5..G....5..........H........... D..3}.. D...O..+...Q...<?..Ti..<U......<U..T...<...U)..H5..3...H5......L...X...VE..%j..V...l..

                                                                    C:\Program Files\douwan\translations\qt_en.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):33
                                                                    Entropy (8bit):4.513794876803093
                                                                    Encrypted:false
                                                                    SSDEEP:3:j2wZC4C/rOw+8k:Cwef+8k
                                                                    MD5:AAEA7BA475C961F941D0A23488457BEB
                                                                    SHA1:2BF0054002C8F7D85DD080DF332553BF9B3A8E26
                                                                    SHA-256:494AC9A2B2CB2FDECED353F4A9F898ED8DCF616E9BC667438C62681E3F7F79CF
                                                                    SHA-512:5B408C36C8F93F71E73E3D3B1C0C2AD699E92A6088604B8ADF8E588E8A75FC3FC92828199B7F00F5B05B224AE819220D07E56D610A76A267594870BEC77172BE
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......en_US.......

                                                                    C:\Program Files\douwan\translations\qt_es.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):165170
                                                                    Entropy (8bit):4.679910767547088
                                                                    Encrypted:false
                                                                    SSDEEP:1536:JVwzuvb+Ta64KQd84arHX5pxiVhA8QlOD/BnFNa8NsvsfFsfcoZtIx6F:JVwSTG4KqVaLX5pEVK7OJFczstgRtIx8
                                                                    MD5:C7C58A6D683797BFDD3EF676A37E2A40
                                                                    SHA1:809E580CDBF2FFDA10C77F8BE9BAC081978C102B
                                                                    SHA-256:4FFDA56BA3BB5414AB0482D1DDE64A6F226E3488F6B7F3F11A150E01F53FA4C8
                                                                    SHA-512:C5AED1A1AA13B8E794C83739B7FDDEAFD96785655C287993469F39607C8B9B0D2D8D222ECD1C13CF8445E623B195192F64DE373A8FB6FE43743BAF50E153CDA5
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......es_ESB../....*..*,...+...y...@.......A.......B.......C.......D...v...E...=...F.......G.......H.......I.......P.......Q... ...R...k...S.......T.......U.......V...1...W...U...X...y...Y.......]..+....s.......t...................c...;..+....;..,....;...%...;..#....;..-....M..+....O.......O...............}..,............=...]...m..,/...t..........A...(5..3...+;..<...+;..o...+O..!b..1...Ap..D@......E@...D..H4...-..HY..[F..H.......IC...%..J....L..J.......J.......LD......L....O..PS......QR..!...R...`K..T.......U....&..X.......Zr.....[`...h..\......]x...|.._....Y.._....A..yg......1...=....E..?a......!.......K........G...............R...$..\Q...[.......,...z...y.......y..................+............9..\....E..2............z.. ....................%..ON...D........................:......=B.....A....5...7...0.......0......0.."....0...,...0..3....5...}...5...Y..............a... D..-!.. D..Z6..+....0..<U...h..<U......<.......H5..-M..H5..Z...L.......VE.."...VE..>...V......

                                                                    C:\Program Files\douwan\translations\qt_fi.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):179941
                                                                    Entropy (8bit):4.720938209922096
                                                                    Encrypted:false
                                                                    SSDEEP:3072:lvdTgO2Yl97ZWnbgTLt/Tf9IlqAeiy5uWkYGM0wNCdRjSK2YUlUs:lvdkA9vh5uWkY0MK2YXs
                                                                    MD5:8472CF0BF6C659177AD45AA9E3A3247C
                                                                    SHA1:7B5313CDA126BB7863001499FB66FB1B56C255FC
                                                                    SHA-256:E47FE13713E184D07FA4495DDE0C589B0E8F562E91574A3558A9363443A4FA72
                                                                    SHA-512:DE36A1F033BD7A4D6475681EDC93CC7B0B5DCB6A7051831F2EE6F397C971B843E1C10B66C4FB2EFF2A23DC07433E80FBF7B95E62C5B93E121AB5AD88354D9CB8
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......fiB..38...*..ct...+......@.......A.......B.......C...@...D.......E...]...F.......G.......H.......I...#...P.......Q...6...R.......S.......T.......U.......V...G...W...k...X.......Y.......]..*....s...T...t.......................;..*....;..+....;..&....;..3....M..+!...O.......O...e...........}..+K...........=.......m..+w...t..........J...(5..9...+;..:y..+;..mW..+O..$...1...KY..D@......E@...Z..H4...l..HY..X&..H.......IC......J.......J...."..J......LD.....L.......PS...'..QR.. L..R...]...T.......U.......X.......Zr......[`......\.......]x......_....k.._....>..yg.. /..1...;....E..>....7..{(......%.......J........T.......&.......U...$..Y[...[......,...s...y.......y...a.......}......d...........9..Y....E..k'...........z...........V..........%..M....D...Q.......{......d.....A......E......K....5.......0.......0..&J...0.......0..k....5...*...5..I9.............._:.. D..,O.. D..W...+....9..<U...G..<U...*..<.......H5..,y..H5..W...H5......L....5..VE..!u..VE..E...V..."{..f.

                                                                    C:\Program Files\douwan\translations\qt_fr.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):166167
                                                                    Entropy (8bit):4.685212271435657
                                                                    Encrypted:false
                                                                    SSDEEP:1536:CLZ1w8McowCppcPwL5pYFw+G00QsbLckCiWxvq+sjs06oFm:C91wxcowspc4L5pUw+cz39CiQ7tloFm
                                                                    MD5:1F41FF5D3A781908A481C07B35998729
                                                                    SHA1:ECF3B3156FFE14569ECDF805CF3BE12F29681261
                                                                    SHA-256:EDB32A933CEF376A2636634E14E2977CED6284E4AA9A4AC7E2292F9CA54C384A
                                                                    SHA-512:A492E8AC88095A38A13549C18C68E1F61C7054AB9362C2B04C65B93E48E4A07941C8DA6950BAE79041094623E0ED330CA975110FDE8248B4D9380B9F729AD891
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......fr_FRB../....*..-....+.......@.......A.......B.......C...?...D.......E...\...F.......G.......H.......I..."...P.......Q...5...R.......S.......T.......U.......V...F...W...j...X.......Y.......]..+....s...=...t.......................;..+....;..,....;.......;..$b...;.......M..,....O.......O...5...........}..,3...........=.......m..,]...t..........A...(5..5j..+;..<T..+;..o...+O.."+..1...B\..D@......E@...Y..H4...8..HY..[{..H.......IC......J.......J.......J.......LD...|..L.......PS...?..QR..!...R...`j..T.......U....[..X.......Zr.....[`...)..\......]x......_....7.._.......yg...i..1...=Q...E..?@......"Y......K............................$..\....[...^...,...'...y.......y...+.......o....../c.......Y...9..\....E..6(...........z..!................j...%..OC...D...+.......[......a.....;......>......B....5.......0.......0...m...0..#....0.......0..6....5.......5..................a... D..-Y.. D..Ze..+....]..<U...;..<U......<.......H5..-...H5..Z...L.......VE.."...VE..?...V......

                                                                    C:\Program Files\douwan\translations\qt_gd.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):189580
                                                                    Entropy (8bit):4.629471775298668
                                                                    Encrypted:false
                                                                    SSDEEP:1536:SiaI3C87jhakhR0VGkw7ys7CskQH6y4e6IFB4xyMuhvDnJGhFaCo527arBbm07LZ:S2yGjh17yiqxTXhvQoejJd8FUjVgk
                                                                    MD5:D512456777500DC13EF834ED528D3704
                                                                    SHA1:90A32284052C3FE12C18AFEC9F7FF56735E2E34B
                                                                    SHA-256:C515DD2A2E00765B5F651AAE124A55D617B24777138019ABC5A7001DA7417561
                                                                    SHA-512:BABEF929AC600C117967B42389623F352D219A466C484AE68EF3C9DA9FF61555875FFB0DAFC3E5EADA6FB43D37F7AFE74A6B6C73458A93FFB42819E1068C9A3B
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......gd_GBB..2....*...u...+......@.......A...B...B.......C.......D.. ....E.. ....F..!&...G..!J...H..!n...I..!....P..#m...Q..#....R..#....S..$....T..$$...U..$H...V..$....W..$....X..$....Y..%....]../....s...'...t...................F...;.......;../....;..=V...;..G....M../G...O.......O...k......$....}../o.......i...=.......m../....t..........[...(5..M...+;..@...+;..x...+O..:...1...\7..D@...f..E@..#...H4...p..HY..be..H.......IC......J.......J....R..J.......LD......L.......PS......QR..#l..R...g...T.......U.......X....\..Zr......[`......\...&...]x......_....C.._...'t..yg..?...1...BM...E..D.......;.......R'.......t.......@.......?...$..c....[......,...i...y.......y...Y.......f.......+...........9..c....E...............z.."....................%..U....D..................G.....UB.....W......\]...5.......0.......0..<....0...;...0.......5.......5..ij..............h... D..0... D..aC..+....K..<U.....<U...~..<.......H5..0...H5..a...L....1..VE..$...VE..X...V...8|..f...Z...f...=..

                                                                    C:\Program Files\douwan\translations\qt_he.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):138690
                                                                    Entropy (8bit):5.4870451639261075
                                                                    Encrypted:false
                                                                    SSDEEP:3072:XSue8FDn3iJsqBejd/zNDSLzdetY2ZISfCPS:XSuem7w7IjdIzUtYAISfCPS
                                                                    MD5:26B777C6C94C5AA6E61F949AA889BF74
                                                                    SHA1:F78DA73388C86D4D5E90D19BB3BD5F895C027F27
                                                                    SHA-256:4281C421984772665A9D72AB32276CFE1E2A3B0EBE21D4B63C5A4C3BA1F49365
                                                                    SHA-512:8E02CE06F6DE77729AEFA24410CBD4BFBA2D935EF10DCF071DA47BB70D9C5E0969F528BDB3DB5CAB00E3142D7C573FCF66EA5EB4A2BC557229AD082C0EB1DBCC
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......he_ILB../....*......+..Sw...@......A......B.......C.......D...X...E.......F.../...G...O...H...o...I......P.......Q.......R...I...S...i...T......U......V.......W.......X.../...Y...O...]..$....s......t..X:.......4......`Y...;..$....;..%....;.......;...5...;.......M..$....O...6...O..s............}..%-...........=...m...m..%k...t..........^..(5......+;..2...+;..^...+O...N..1.......D@......E@...(..H4..T...HY..L...H..._...IC..\...J...\...J.......J...\j..LD..^...L...^o..PS..fl..QR......R...Q...T...su..U...s...X...x3..Zr..~...[`..L\..\.......]x....._......._....o..yg...(..1...3....E..5C.......z......?V......U.......U.......W....$..M....[..W....,..X....y.......y..\........a..............\@...9..NO...E...?......]s...z...G.......(......^....%..B^...D.._......._.................... ..........5..`/...0.......0...L...0......0..d(...0......5..ek...5..........fB......R... D..&O.. D..K...+...l...<U......<U..p)..<...p...H5..&w..H5..La..L...s...VE......VE......V.....

                                                                    C:\Program Files\douwan\translations\qt_hu.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):160494
                                                                    Entropy (8bit):4.831791320613137
                                                                    Encrypted:false
                                                                    SSDEEP:3072:BmOMZadV9n51xXeQvjOiIzz7/Vs9Db3ihuJNvMfWxBNlYzYbTrIkfwb03l24cNKu:HkWa5pg0MahBHDd
                                                                    MD5:E9D302A698B9272BDA41D6DE1D8313FB
                                                                    SHA1:BBF35C04177CF290B43F7D2533BE44A15D929D02
                                                                    SHA-256:C61B67BB9D1E84F0AB0792B6518FE055414A68E44D0C7BC7C862773800FA8299
                                                                    SHA-512:12947B306874CF93ABA64BB46FAC48179C2D055E770D41AF32E50FFFB9F0C092F583AFCEA8B53FE9E238EF9370E9FFFBEB581270DFA1A7CB74EBE54D9BFF459F
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......hu_HUB../....*.......+.......@.......A...0...B...{...C.......D.......E.......F.......G...<...H...`...I.......P...s...Q.......R.......S.......T...*...U...N...V.......W.......X.......Y.......]..+y...s.......t.......................;..+Q...;..,U...;.......;.......;..&....M..+....O.......O...U..........}..+............=.......m..+....t..........9c..(5..,...+;..;...+;..m7..+O......1...9...D@...T..E@......H4...v..HY..Y...H.......IC......J.......J.......J.......LD......L.......PS...}..QR..!...R...]...T.......U....{..X.......Zr...=..[`......\....*..]x...-.._......._......yg...M..1...<....E..>...............J........T.......(.......S...$..Z....[.......,...u...y.......y...[...............#...........9..Z....E..#&...........z..!'...................%..Mv...D..._....................32.....5......9....5.......0...h...0...E...0.......0.......0..#....5...Z...5...........G......_2.. D..,... D..W...+....W..<U......<U...B..<.......H5..,...H5..X{..L....)..VE.."...VE..6l..V....*.

                                                                    C:\Program Files\douwan\translations\qt_it.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):161139
                                                                    Entropy (8bit):4.679177649012242
                                                                    Encrypted:false
                                                                    SSDEEP:1536:ZL5ef7fdO4BKOb0t55pqCOIUP/PFIM7gxGQ9sRrFM6QJ4m8ihkM:ZdeDFO4BKOb0t55pnOrvCqg9mRK4IkM
                                                                    MD5:66C2DBE4E048D365AA3531409BB319E9
                                                                    SHA1:43376F186D324E261B0F6A2475FF2F0B5261B5E1
                                                                    SHA-256:EEDA9549376601652F8E2F35048E56548F4C15BC6CCAB48F5A3D5A249D631BEE
                                                                    SHA-512:4D4325752872BA0A3D4CA5F2ABA6FAC0D93EA7D36CAF2BF7EA2B32C9CD2B4832CC3A6B78AF7CAF33B28F7D6259CE1CE0F372089E16843FBE459B14F2A43B1904
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......it_ITB../....*.......+...i...@.......A.......B...L...C...p...D.......E.......F.......G.......H...3...I...W...P...P...Q...t...R.......S.......T.......U...+...V.......W.......X.......Y.......]..+....s.......t..................=...;..+[...;..,g...;.......;.......;..!!...M..+....O...D...O...............}..+........(...=.......m..,....t..........4...(5..'m..+;..<...+;..o5..+O......1...4...D@...%..E@......H4...)..HY..Z...H.......IC...+..J....R..J....j..J.......LD......L....E..PS...j..QR..!...R..._...T.......U.......X.......Zr......[`...0..\.......]x......_......._.......yg..."..1...=....E..?o..............Kf.......G...............(...$..[....[.......,...L...y...9...y...........Y.......Y...........9..\=...E..$T...........z.. k...................%..N....D..................,......_.....0......5....5.......0.......0.......0... ...0.......0..$....5...a...5...).......@......a... D..,... D..Y...+.......<U..._..<U......<....U..H5..-...H5..Z...L.......VE.."c..VE..1...V....7.

                                                                    C:\Program Files\douwan\translations\qt_ja.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):129911
                                                                    Entropy (8bit):5.802855391832282
                                                                    Encrypted:false
                                                                    SSDEEP:1536:W8YYSCjKBJ26c1Z7f25pVmuLXpxfqt7FEUWNrfQje9kWI23pKXvx:xYuKBJ01Z7u5pQuLbESUWNzAAI23pKfx
                                                                    MD5:608B80932119D86503CDDCB1CA7F98BA
                                                                    SHA1:7F440399ABA23120F40F6F4FCAE966D621A1CC67
                                                                    SHA-256:CBA382ACC44D3680D400F2C625DE93D0C4BD72A90102769EDFD1FE91CB9B617B
                                                                    SHA-512:424618011A7C06748AADFC2295109D2D916289C81B01C669DA4991499B207B781604A03259C546739A3A6CF2F8F6DFA753B23406B2E2812F5407AEE343B5CBDD
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......jaB../....*...'...+..=....@.......A.......B...?...C...c...D......E......F.......G.......H..."...I...F...P.......Q...'...R...r...S......T......U.......V...8...W...\...X......Y......].."k...s...Q...t..A...............I....;.."C...;..#A...;.......;.......;.......M.."....O...B...O..[?......h....}.."........m...=.......m.."....t...........M..(5......+;......+;..WU..+O......1.......D@......E@...K..H4..>=..HY..F...H...Hr..IC..E...J...F...J.......J...E...LD..Gz..L...G...PS..O...QR......R...K!..T...Z...U...[e..X..._f..Zr..e...[`..7...\...i...]x...'.._......._...j...yg..~+..1.../....E..1?.......#......:.......?.......?n......A....$..G....[..Ap...,..B....y.......y..Ew......|...............E....9..H....E..........F....z...]..............HL...%..=R...D..H.......I!......[......J......M..........5..It...0...3...0.......0...C...0..M....0...a...5..N....5..........N.......L6.. D..#... D..E...+...U%..<U......<U..X ..<...X...H5..#...H5..FK..L...[...VE......VE......V......f.

                                                                    C:\Program Files\douwan\translations\qt_ko.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):156799
                                                                    Entropy (8bit):5.859529082176036
                                                                    Encrypted:false
                                                                    SSDEEP:1536:rvTy18hhPekHs1iNXVExWbStnn8TExgkYOvYejZOvXx4Mmf0MwUL8smk/pDZyy:y18hJ61nMStnn8TOgknQRLWZmkxNyy
                                                                    MD5:082E361CBAC2E3A0849F87B76EF6E121
                                                                    SHA1:F10E882762DCD2E60041BDD6CC57598FC3DF4343
                                                                    SHA-256:0179ED1B136E1CB3F583351EAA2C545BA3D83A6EE3F82C32505926A1A5F5F183
                                                                    SHA-512:F378A42116924E30FA0B8FFF1D3C3CB185DC35B2746DCE2818BE7C2AA95C5DE103DF44AAC74DA969C36C557F1D4DE42AC7647EC41066247F8AD2697BDED667EA
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......koB..7....*.......+.......@...K...A...o...B......C.......D...8...E.......F...U...G...y...H......I.......P......Q.......R.......S...C...T...g...U.......V.......W.......X...-...Y...Q...]..$....s...>...t...................y...;..${...;..%....;...u...;...l...M..$....O.......O...8...........}..$............=...C...m..%!...t...n..........(5...a..+;..E@..+;..l|..+O......1.......D@.....E@......H4......HY..\...H....]..IC......J.......J....8..J.......LD...a..L.......PS......QR......R...`...T.......U....^..U.......X....y..Zr......[`..y...\....A..]x......_......._....o..yg......1...FJ...E..HE...7..................Q........a.......5...........$..]....[...;...,.......y.......y...V...............!.......|...9..]....E...R...........z...4.......f.......5...%..Te...D..................D......^.............*...5...S...0.......0.......0.......0.......5.......5...........n......a... D..%... D..[...+.......<?......<U...;..<U...+..<.......H5..&...H5..\...L.......VE......V....A..f.

                                                                    C:\Program Files\douwan\translations\qt_lv.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):153608
                                                                    Entropy (8bit):4.843805801051326
                                                                    Encrypted:false
                                                                    SSDEEP:3072:y5pmbKIhooMbGe91MrjOhmGzP6LJbWz5XIxELpU6:yObeqrjPGzeJyJLy6
                                                                    MD5:BD8BDC7BBDB7A80C56DCB61B1108961D
                                                                    SHA1:9538C4D8BB9A95C0D9DC57C7708A99DD53A32D1F
                                                                    SHA-256:846E047573AE40C83671C3BA7F73E27EFC24B98C82701DA0DF9973E574178BB2
                                                                    SHA-512:F040EC410EBFEA21145F944E71ADCAE8E5F60907D1D3716A937A9A59A48F70C6B7EAAC91C2C554F59357A7BC820CDBD17C73A4DECC20B51F68EB79EDD35C5554
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......lv_LVB.......*...B...+..y....@.......A...=...B......C......D.......E.......F...#...G...G...H...k...I.......P...~...Q......R.......S.......T...5...U...Y...V......W.......X.......Y.......]..%....s.......t...8.......n.......A...;..&....;.......;...!...;...A...;../....M..%....O.......O...............}..%...........=.......m..&....t...(......(g..(5...+..+;..4...+;..d...+O......1...(...D@...a..E@......H4..z...HY..Q...H.......IC......J....6..J.......J.......LD......L....9..PS......QR......R...U...T....S..U.......X...._..Zr......[`..r...\.......]x...*.._......._....{..yg......1...5v...E..7........(......B.......|.......|W......~r...$..R....[..~....,.......y...l...y...............................9..S....E...g...........z...z...................%..F....D........................"Z.....$......)....5.......0...\...0.......0...r...0.......0.......5...a...5..........J......V... D..&... D..P...+.......<U......<U......<.......H5..'"..H5..P...L....~..VE...R..VE..%...V......

                                                                    C:\Program Files\douwan\translations\qt_pl.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):162982
                                                                    Entropy (8bit):4.841899887077422
                                                                    Encrypted:false
                                                                    SSDEEP:1536:sXpestp/YIFtDT8FIWYbIJmPYuIpnmxAk6mwyJNqSm9+P:sxpTDT8FIWfJmdCmxApmbnqSm9+P
                                                                    MD5:F9475A909A0BAF4B6B7A1937D58293C3
                                                                    SHA1:76B97225A11DD1F77CAC6EF144812F91BD8734BD
                                                                    SHA-256:CE99032A3B0BF8ABAD758895CC22837088EAD99FD2D2514E2D180693081CFE57
                                                                    SHA-512:8A4F1B802B6B81FF25C44251FB4A880E93E9A5FE25E36825A24BFE0EFB34E764E7E1EE585D3A56554964B7921E7813C67F12D200D6E0C5EAF4BB76B064B5C890
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......pl_PLB..0....*.."....+.......@...F...A...j...B......C.......D...3...E.......F...P...G...t...H.......I.......P.......Q.......R.......S...>...T...b...U.......V.......W.......X...(...Y...L...]..*....s.......t...r.......o.......+...;..*....;..+....;..."...;... ...M..*....O...6...O...........a...}..+...........=.......m..+G...t...G......,...(5......+;..:...+;..k...+O......1...-[..D@.....E@......H4...U..HY..WU..H.......IC......J....6..J.......J.......LD......L....%..PS......QR.. ...R...[...T....1..U.......X......Zr......[`......\.......]x...A.._......._....}..yg......1...;W...E..=........%......H....................$..Xp...[.......,.......y...i...y...........}......$R...........9..X....E..+)...........z.. E...................%..K....D...p....................&......(......-....5.......0.......0...e...0.......0..+....5...]...5...........f......]-.. D..,%.. D..V?..+....V..<U......<U......<....-..H5..,M..H5..V...L....Z..VE..!...VE..)...V.......f...P...f....K..f......

                                                                    C:\Program Files\douwan\translations\qt_ru.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):203767
                                                                    Entropy (8bit):5.362347888784502
                                                                    Encrypted:false
                                                                    SSDEEP:1536:hn4dEJ63pdhPpy6gu5fs4MHQv6sLlxnrncF423ZL9xyuXwdcX8/Zuf76CW+WeXFx:aN3pdV5fZbpItXsZtRY+WSq
                                                                    MD5:7C1D56064AF52DC1C834FF709FC53609
                                                                    SHA1:C415A8B1B6B9D40DD68173A0772F32F639CD743A
                                                                    SHA-256:B2C601C7DECB9F8D2D6DC3B1929F2EC20656FF21783BF283DF23B02DD022DC5B
                                                                    SHA-512:FCBD753BECF6D2FC4B0074440AFBE06ED27B6FDF15D14ABD66DF28EF44272E98DC6DED66BAAE09EC8666BC78E454E20D38F945F4B0F6D0B6899CFD663E1BA1F9
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......ru_RUB..7....*...L...+...W...@..,....A..,....B..-1...C..-U...D..-....E...r...F.......G.......H../....I../8...P..1'...Q..1K...R..1....S..1....T..1....U..2....V..2\...W..2....X..2....Y..2....].......s..$c...t...'......%........r...;..-....;.......;..J....;..V....M...C...O.......O..&.......8....}...m......+3...=..+....m.......t..+.......p...(5..]@..+;..[0..+;......+O..H...1...qM..D@..-...E@..1o..H4...p..HY..xm..H....*..IC...@..J....g..J.......J.......LD......L....p..PS......QR..!...R...}...T...&...U...'...U...ki..X...+...Zr..3...[`......\...:...]x..)..._......._...;...yg..S...1...\....E..__...7.........H.......k................j.......U...$..y....[.......,.......y...k...y...............................9..y....E...O...........z..!*...................%..nW...D.................%w.....g......j~.....qw...5...H...0.......0..I....0..._...0......5.......5..................~... D../k.. D..wa..+....?..<?.."t..<U......<U.."...<...#z..H5../...H5..w...L...&...VE.."...V...F$.

                                                                    C:\Program Files\douwan\translations\qt_sk.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):125763
                                                                    Entropy (8bit):4.803076457235141
                                                                    Encrypted:false
                                                                    SSDEEP:3072:roXDuC1u/2lUBGjJirE5tsd/aev1GcfOdvhw:OucMGjH5t/m
                                                                    MD5:5BBA1E27FCABC34B403CDF11F0A63CEF
                                                                    SHA1:EA02695BDBB9C7F55A94F60B306703F0D67B30C3
                                                                    SHA-256:B70C6DE694E717FA05C46831B6A11927536AEAD937CCE6BA66665D5C496EED06
                                                                    SHA-512:E15DB4397E5388B56B9869080DB06CB3357E3D575C619CB1187F7372AEC5B7F19F14EEC6D2674F174094945AEDB5470AB1CCEC1347B96E8E6BB20279FD038F6C
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......sk_SKB..$x...*.......+..>....@......A......B.......C.......D...3...E...Z...F......G......H.......I.......P.......Q...D...R.......S......T.......U.......V...1...W...X...X.......Y......]...Y...t..D-......K....;...3...;.......;.......;......;...V...M.......O.._ ......l....}.......m...........T..(5...(..+;......+;..%...+O......1......E@...k..F.......H4..?I..HY..@7..H...J...I....,..IC..HT..J...H{..J...H...LD..J"..L...Jv..PS..Q...R...D...Zr..i]..[`..7...\...nB.._...o...1...&....E..(........B......19......A.......A....$..AF...[..C....,..D....y..G.......v........g......G....9..A....E..........IH...%..4.......Kf..............................5..K....0...,...0.......0.......0..Of...0.......5..P....5..........E... D...C.. D..?'..+...Y`..<U......<U..\...<...]...H5...m..H5..?...L...^...VE......f.......f...8...g.......l...aP.......................6......d....D..f(...`..f...............?....`..h5...y..H....5..j........E...e.......e..@....... ......>......oZ......l..

                                                                    C:\Program Files\douwan\translations\qt_tr.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):194487
                                                                    Entropy (8bit):4.877239354585035
                                                                    Encrypted:false
                                                                    SSDEEP:3072:yRRhAFCvqDBitD/iDG9AOH+l4TcwZBPqHo9fd9CFRK+2IKAimxsjucV2p0ZqvRu7:yRRHs5mksWVX3lA3
                                                                    MD5:6CBC5D8E1EABEC96C281065ECC51E35E
                                                                    SHA1:4E1E6BA3772428227CB033747006B4887E5D9AD1
                                                                    SHA-256:6A0BF6E70E7920C2B193E76E92F78F315936955D3B06AC039D917F2E06C43281
                                                                    SHA-512:CE1F9EE180176153D5F523D71E0DB06F4DEA65C24E5E2CD56341CFAEE349A8E9A0F606D99F7219A35DD4516D1528C90AEA4BB87548A55392B8F2B36164D478B1
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......tr_TRB..7....*.......+...-...@.......A.......B.......C...%...D.......E...F...F.......G.......H.......I.......P.. ....Q.. ....R..!D...S..!h...T..!....U..!....V.."....W.."0...X.."T...Y.."x...]..,g...s.../...t......................;..,9...;..-I...;..9@...;..E....M..,....O.......O...G...........}..,............=...\...m..,....t.........._3..(5..LJ..+;..Wt..+;...\..+O..7...1..._...D@......E@..!...H4...@..HY..t...H....2..IC...r..J......J....D..J....K..LD...$..L....x..PS......QR..!...R...x...T.......U....q..U...Y...X...."..Zr...%..[`......\....:..]x......_......._.......yg..6...1...X....E..[....7...Z......7Q......f............................$..u....[...:...,...5...y.......y...........7...............!...9..u....E...........P...z.. ........p...........%..j....D..................A.....U......Y......_....5...V...0.......0..8....0...U...0.......5.......5..~b..............z+.. D..-... D..s...+.......<?...8..<U...s..<U...p..<.......H5..-...H5..s...L.......VE.."0..V...4..

                                                                    C:\Program Files\douwan\translations\qt_uk.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):158241
                                                                    Entropy (8bit):5.401819605980093
                                                                    Encrypted:false
                                                                    SSDEEP:1536:4FoQa3dMUDPTzdAhpQgO5poZHvJllEnhmdK4I77/dnPJX/imfb1jhvv3BxT8upfk:rzDPTzaw5pCvJ8hVPdlvj3p8
                                                                    MD5:ACBE9498B42AE04A8A05DDB08F88DAF0
                                                                    SHA1:F847CC1A45A19B5527148BFBC93A3942819F22CD
                                                                    SHA-256:4835B26FC4FCCBF4444E4AF1178BA89ADA88D340BA74D61EAE344D81B8A26461
                                                                    SHA-512:D488BA62873DF44021B2DF7683B80F6207E998AC14F5DBA85E860949A8A01B4D826CFD574D83C8B1107294197D61F9098210D93729B026F03CEE86CC6B576C45
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......uk_UAB../....*...$...+...K...@.......A.......B...&...C...J...D.......E...g...F.......G.......H.......I...-...P.......Q...@...R.......S.......T.......U.......V...Q...W...u...X.......Y.......]..*y...s...b...t...~...............M...;..*Q...;..+U...;.......;...W...;..!....M..*....O.......O...`...........}..*........$...=.......m..*....t..........3...(5..&...+;..:...+;..k...+O... ..1...4...D@......E@...d..H4......HY..W...H.......IC...5..J....\..J.......J.......LD......L....Y..PS......QR.. ...R...\...T.......U.......X....y..Zr......[`..~...\.......]x......_......._.......yg...B..1...;....E..=w.......L......I............................$..X....[.......,.......y.......y...........,...................9..Y....E...%.......#...z.. ........P...........%..LB...D.......................-M...../......46...5...%...0...O...0...6...0.......0...J...0.......5.......5..................^... D..+... D..V...+.......<U......<U...e..<.......H5..+...H5..V...L....2..VE..!...VE..0...V......

                                                                    C:\Program Files\douwan\translations\qt_zh_TW.qm

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Qt Translation file
                                                                    Category:dropped
                                                                    Size (bytes):127849
                                                                    Entropy (8bit):5.83455389078597
                                                                    Encrypted:false
                                                                    SSDEEP:3072:Fv2cHP10gOs6dcFxsJopMqOWv2WIrPFP8pa:Fh6s6iFxEodjef8pa
                                                                    MD5:9C6A3721D01ECAF3F952CE96F46CE046
                                                                    SHA1:4A944E9E31DF778F7012D8E4A66497583BFD2118
                                                                    SHA-256:085D29EAF9BBB788B2F2503D74A1EF963A9411CEB600441254CE49A120E1AB63
                                                                    SHA-512:6E2807B8785F42A26C9CCBDBA0327DD40B529B10C468593F0E74113774D1CCDAA4FD9ACE9B259B9040E1475911428ECAEA49425B0F170862CF8147D23DB48E46
                                                                    Malicious:false
                                                                    Preview:<.d....!..`.......zh_TWB..2x...*.......+..)....@.......A.......B...j...C......D.......E......F.......G...)...H...M...I...q...P...%...Q...I...R......S......T.......U.......V...Z...W...~...X......Y.......]..!....s.......t..-...............4....;..!z...;.."|...;.......;.......M..!....O.......O..Ay......N)...}..!............=.......m.." ...t...(.........(5......+;..;...+;.._...+O......1.......D@...C..E@...m..H4..*W..HY..Pm..H...3...IC..1...J...1...J.......J...1...LD..2...L...38..PS..6...QR...T..R...T...T...A...U...A...X...E...Zr..K...[`..$...\...OW..]x......_......._...P...yg..a^..1...<....E..>....7...>.......;......Fo......+.......+.......-L...$..QR...[..-....,...F...y.......y..1J...............6......1p...9..Q....E..........2....z...........<......3....%..H....D..4W......4}....................Z...... ...5..4....0...?...0...K...0..5....0...L...5..6....5..........6.......U... D.."... D..O...+...<%..<U......<U..>...<...?:..H5..#...H5..O...L...AS..VE...M..VE......V.......f...L..

                                                                    C:\Program Files\douwan\ucrtbase.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):997056
                                                                    Entropy (8bit):6.641267041997889
                                                                    Encrypted:false
                                                                    SSDEEP:24576:WhEbImsFPf/JtGlA3wubyZ9dgruOqy38V89DamxvSZX0ypkXvE:WhgImsFPfRklAVyBgr599hX8
                                                                    MD5:ED82E9C6C4F7A475D7FD6EBABF3FAB2A
                                                                    SHA1:1062942B1BDFC8D7C8A941C152DF69216010D780
                                                                    SHA-256:4C5B8E529854CEDFA8F46CD6906952400CDBBF25EFC4CF37DDA2C42D8E96DDCB
                                                                    SHA-512:BF7BDF4762455A1224CDF1E7CDEB73A3C24C3E04D0B01DF9F46B87D174CF4A88621372AA87B7E622B210F63A453C911D88E214BA67560F8FF7D7D0D24DA58AD2
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............W..W..W..W-.W...W..W...W..W..V..W..V..W..V..W..V..W..V..W.|W..W..V..WRich..W........................PE..d....*oX.........." .........j...............................................P............`A.........................................[......L0.......0.. ................<...@......0...8...............................................H............................text............................... ..`.rdata..............................@..@.data....%...P.......,..............@....pdata...............<..............@..@.rsrc... ....0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\uninst.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Category:dropped
                                                                    Size (bytes):427694
                                                                    Entropy (8bit):5.50573003234794
                                                                    Encrypted:false
                                                                    SSDEEP:3072:2DxaVzwmg4CSW8JSuosY5b92UyWtZXeb9eNX5290X:IMm4CC7Y/HZXRNX529a
                                                                    MD5:3D2543D64021E03CDA142D02C5ADE1D3
                                                                    SHA1:6999E54D537CED5563AAC7728C200D94545D6325
                                                                    SHA-256:CA7B174701940789FC5F5874E527800486ADA1A770F0764306571619D01B7450
                                                                    SHA-512:7BEDF0DA0473F8F3DC74BFE38BA989440E031FA0E5D9EB71FA0BA84D512FE913DAB3B710C3D5587EDDAAE6D94D883C18DC7303F11B83D0F2B7E5AE841D15E630
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....$_.................f...*.......4............@.......................................@.............................................P...............hf...........................................................................................text....d.......f.................. ..`.rdata...............j..............@..@.data...8............~..............@....ndata...P...............................rsrc...P...........................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\updater.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):534120
                                                                    Entropy (8bit):6.431427852197156
                                                                    Encrypted:false
                                                                    SSDEEP:12288:15AhCOl9jwutmRIrzD56vteperRJVnP4n02b09:nA16YmRIvD56vteperRJVnP5
                                                                    MD5:D4E1A7F6DC113144D94BC326EF4C1EBD
                                                                    SHA1:62B93B0CADD3FB684EE8776ED1C54AF9C860C80A
                                                                    SHA-256:5721271AC42FF873CE4E226C2F787327BBE6D0C0EB6F7970DDDB489A97B1AB95
                                                                    SHA-512:18E11F68FCFB0F7501900D8E7EBC485D91B37265B54C0406CB0FE62C7F6F3D8EE7B721503477DD7A2062EAE4E6A2E79F73E3790B1B23B8BACEF201639A2921E5
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.u...u...u....^..u....\..u....]..u..0.h..u.......u.......u.......u....,..u....<..u...u..0u..5....u..5.P..u...u8..u..5....u..Rich.u..................PE..d.....^`.........."......v...b.................@..........................................`.............................................................85...`..dV......hf..............p...............................................0............................text....u.......v.................. ..`.rdata..............z..............@..@.data...L-...0......................@....pdata..dV...`...X...$..............@..@.rsrc...85.......6...|..............@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\vcam.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):140904
                                                                    Entropy (8bit):6.43218911701623
                                                                    Encrypted:false
                                                                    SSDEEP:3072:CmKUUwHbzDUio/REolONDHlWQfvjRdqj+:qCHbzDxomolaftn
                                                                    MD5:FBC00D53EB7E49DAB3C4C0D6DBC623F5
                                                                    SHA1:5AC7FEE759147B96C5423156167E479961CA5BF8
                                                                    SHA-256:76F7CA0E68CE7CA87E417CA50E22BD97D21D7CBA4FB207C14615002128444991
                                                                    SHA-512:DA7D2D8CE6A63C5A26F98ED445F375F44BB68E214A4D313B781ABE5A6D3441856A56BD113D78FE4FA94A8BD3882480B5A52B1BCD35682BE50969D618A126C5A8
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........f...f...f..y....f..y....f.......f.......f.......f..y....f..y....f...f...f..(....f..(....f..(....f..(.M..f..(....f..Rich.f..........................PE..d....qfc.........." ................,"....................................... ............`.................................................X...(.......................hf...... .......................................8............................................text............................... ..`.rdata..............................@..@.data...............................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................

                                                                    C:\Program Files\douwan\vccorlib140.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):334728
                                                                    Entropy (8bit):5.937217679926928
                                                                    Encrypted:false
                                                                    SSDEEP:6144:o+dqDim64W44od8wyW9I8RbAA2d3a6JD36a:o1Iud8wy6I8DD6t
                                                                    MD5:7EF7EAB654DF53E087AC4703C9EA0B16
                                                                    SHA1:743DC76D168326B60F09347945FE1342A6EFFC4C
                                                                    SHA-256:13E568FDCDE1B7B7F2D1C97A474BDB8858F5AB761157F0FEA7201CCECF84B9B8
                                                                    SHA-512:0B860F10C03ACB3866E82FD6044C29D63A2C6A1D5F6628F3D31F1CD1E44D7144E3660DF3446B7A0B76B7811B261675E5AA39FB27EFEEC060D287FDE3E630EDD2
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,..]hz..hz..hz..a.T.xz..:...nz..:...rz..:...`z..:...lz......oz..hz...z..:...yz..:...iz..:.8.iz..:...iz..Richhz..................PE..d....+.`.........." .........z......P~.......................................@............`A........................................0....>......,................ .......#... ......`...T...............................8............................................text...v........................... ..`.rdata..............................@..@.data........0......................@....pdata... ......."..................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\vcruntime140.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):97160
                                                                    Entropy (8bit):6.422776154074499
                                                                    Encrypted:false
                                                                    SSDEEP:1536:yDHLG4SsAzAvadZw+1Hcx8uIYNUzUnHg4becbK/zJrCT:yDrfZ+jPYNznHg4becbK/Fr
                                                                    MD5:11D9AC94E8CB17BD23DEA89F8E757F18
                                                                    SHA1:D4FB80A512486821AD320C4FD67ABCAE63005158
                                                                    SHA-256:E1D6F78A72836EA120BD27A33AE89CBDC3F3CA7D9D0231AAA3AAC91996D2FA4E
                                                                    SHA-512:AA6AFD6BEA27F554E3646152D8C4F96F7BCAAA4933F8B7C04346E410F93F23CFA6D29362FD5D51CCBB8B6223E094CD89E351F072AD0517553703F5BF9DE28778
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d....(.`.........." .........`......p.....................................................`A.........................................B..4....J...............p..X....X...#..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\vcruntime140_1.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):37256
                                                                    Entropy (8bit):6.2987721506649335
                                                                    Encrypted:false
                                                                    SSDEEP:384:5InvMCmWEyhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+XfbmuncS74GdWrUKWj14gHg:dCm5yhUcwrHY/ntTxT6ovR7VxIV1z
                                                                    MD5:7667B0883DE4667EC87C3B75BED84D84
                                                                    SHA1:E6F6DF83E813ED8252614A46A5892C4856DF1F58
                                                                    SHA-256:04E7CCBDCAD7CBAF0ED28692FB08EAB832C38AAD9071749037EE7A58F45E9D7D
                                                                    SHA-512:968CBAAFE416A9E398C5BFD8C5825FA813462AE207D17072C035F916742517EDC42349A72AB6795199D34CCECE259D5F2F63587CFAEB0026C0667632B05C5C74
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d....(.`.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\w32-pthreads.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):81000
                                                                    Entropy (8bit):6.812218811638426
                                                                    Encrypted:false
                                                                    SSDEEP:1536:p0kHaH+UcvRvUNZNyiH/pygu4ELjH9ELjHC:p08XXRvziH/pygu4gjdYji
                                                                    MD5:1523F165B18D314E27E966F202174DC4
                                                                    SHA1:3831243BD442C238E216B6FF86E25DA1630B523D
                                                                    SHA-256:9611A420C722EFDDF20E5E8D9CFFAF8DCF5ED4436BA6B14F7DAF4E811F9C14CA
                                                                    SHA-512:67CBAC508D1FECFDDF2FF08848BCAB7D2C6E9ECAFBFB0FE66BB4C8CCDA4E68D2B6FAEFA89786CF9932FFDB2ED13BAF8DA11FF2E50438890B05B3605CD5BB487B
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X.Q.6RQ.6RQ.6RX.RY.6Rj.7SS.6R...RP.6Rj.5SS.6Rj.3SX.6Rj.2S[.6R<.7SR.6RQ.7R..6R..2SP.6R..6SP.6R...RP.6R..4SP.6RRichQ.6R........PE..d.....6`.........." .........N......0........................................ ......&.....`.............................................X.......................d.......hf......$... ...............................@...................H............................text............................... ..`.rdata..H/.......0..................@..@.data...............................@....pdata..d...........................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................

                                                                    C:\Program Files\douwan\zlib.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):251568
                                                                    Entropy (8bit):6.081096820590158
                                                                    Encrypted:false
                                                                    SSDEEP:3072:Ueq0vE1nArMEftoskwTBf/HY/95AFMX0d6jIMmig0/AXeCjXX1ja:UeUyrMEiskwTBnHY/30MIMnAXeqo
                                                                    MD5:92CF41B3DDE4FEBAB4377459289F5E30
                                                                    SHA1:B06F12D195A889677E870726840B0BED5D87D243
                                                                    SHA-256:0674A818542011BAB13EA5C2EFBCA73C8CA500981D754C2E97E6295A7122C5BD
                                                                    SHA-512:CF5B16B80393F01265CA0E5A8816BF85D470B3B22D7086FA6A731CE9D45235CFF5F677D041E7DB847C2D4349D916411CC09F14D0C15D14338D7790D268C7FF37
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....7dX..........& .....B.....................j....................................v?........ ......................................................0..............Hp..hf...@.............................. ..(....................................................text...8A.......B..................`.P`.data........`.......H..............@.`..rdata...M...p...N...J..............@.`@.pdata..............................@.0@.xdata..............................@.0@.bss....0.............................`..edata..............................@.0@.idata..............................@.0..CRT....X...........................@.@..tls....h.... ......................@.`..rsrc........0......................@.0..reloc.......@......................@.0B/4......p....P......................@.PB/19.........`......................@..B/31..................f..............@..B/45.....

                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DouWan.exe_67477162ff25c5ce03785a08b739eb36875429_b90f673a_e36fff6b-09c9-41d3-9ef3-8044ffc3c43d\Report.wer

                                                                    Download File
                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):65536
                                                                    Entropy (8bit):1.7315928969395045
                                                                    Encrypted:false
                                                                    SSDEEP:384:NC0Rvhb1wyYDULjXKQor3R6ezuiFNY4lO8Cl:zb1wyZjaQkhzzuiFNY4lO8
                                                                    MD5:33798B1CC5C3519B62FADFF28539342E
                                                                    SHA1:9B84D7595C2E9B42C566BBF4FA70CA582CFE507F
                                                                    SHA-256:BFB71DA594A9693811935E3042A0D31E5FB2E2EAB7DF13A81205540091E486F3
                                                                    SHA-512:3477141D8F909AC32D636B818208EC88B7720FCD65940211F00756A90777365BAC5DC461DF54A89D82CF11E84BFD656BC9FB8A438506B13F19E071292FEA2298
                                                                    Malicious:false
                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.4.9.6.0.8.4.8.7.2.0.1.0.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.4.9.6.0.8.5.6.9.6.0.1.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.3.6.f.f.f.6.b.-.0.9.c.9.-.4.1.d.3.-.9.e.f.3.-.8.0.4.4.f.f.c.3.c.4.3.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.b.8.a.f.1.a.-.7.5.c.0.-.4.1.a.9.-.a.b.4.9.-.d.0.b.3.a.e.9.9.4.3.1.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.D.o.u.W.a.n...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.8.0.-.0.0.0.1.-.0.0.1.4.-.6.0.d.6.-.5.e.3.9.6.2.c.d.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.6.4.3.4.2.2.5.1.5.0.f.f.f.3.6.d.d.4.3.1.2.7.e.e.b.3.7.3.6.9.8.0.0.0.0.0.9.0.4.!.0.0.0.0.0.0.8.a.2.b.d.6.8.4.b.c.4.4.a.b.4.e.e.2.8.5.e.7.5.4.b.a.b.b.b.6.9.e.8.9.2.0.a.a.!.D.o.u.W.a.n...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4././.2.8.:.0.3.:.5.6.:.4.1.!.1.

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC3A.tmp.dmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                    File Type:Mini DuMP crash report, 15 streams, Wed Jul 3 16:01:25 2024, 0x1205a4 type
                                                                    Category:dropped
                                                                    Size (bytes):118948
                                                                    Entropy (8bit):2.8401453096901466
                                                                    Encrypted:false
                                                                    SSDEEP:768:bYK6Zr8LqcrbWpOmj9p3k6qyyu6jZU90j52LgIasb5pV:28gHo6oO82Llasb5
                                                                    MD5:59091454736C603580B11571A2FA0734
                                                                    SHA1:325C3C1AEC4EDFD44256DFC03C8DBE88638D4A11
                                                                    SHA-256:67FF11C118A7EDDBCF3D80A8EBCD9417B9F10057D486D7B71BD36502C2F237DF
                                                                    SHA-512:0EEBA80D4984D04B51B8B466C72BB5C4BEE71E9C07B8459ACE9310B25F0CBFB5F1CEF9D8BDE1ECAFAD12808FF4675A1D468F61D054E56F34CA4C09FC3658D296
                                                                    Malicious:false
                                                                    Preview:MDMP..a..... ........u.f............d............C..x.......T...hK...........p..........`.......8...........T............k...d...........K...........M..............................................................................eJ......@N......Lw......................T............u.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE3F.tmp.WERInternalMetadata.xml

                                                                    Download File
                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):7920
                                                                    Entropy (8bit):3.716938673193695
                                                                    Encrypted:false
                                                                    SSDEEP:192:R6l7wVeJuXPOYFcJF33lpDB89bj/pfZhm:R6lXJemYibn+jhfe
                                                                    MD5:32670DF95A56236DC2EBAD968CC71242
                                                                    SHA1:1AF3198DA137A98830BF71EE7555CFE05013FA4A
                                                                    SHA-256:042FDA2681B91E86D295888CDAC58817031D31A69B9FC2F990D50D5B4F82F541
                                                                    SHA-512:1459946534D372E98811B6CC56FA4B06AEADDB274562A95E2BC6F2C58FF46A3680C7F6FC366CCD737F3B68D59509BF3392787A58CBC6BA6BAD3AFE4DE598C887
                                                                    Malicious:false
                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.1.6.<./.P.i.

                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERCE7E.tmp.xml

                                                                    Download File
                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4760
                                                                    Entropy (8bit):4.43809673873084
                                                                    Encrypted:false
                                                                    SSDEEP:48:cvIwWl8zs9Jg771I99SWpW8VYqYm8M4JNJsFWhyq8vQJPIsphZhTd:uIjfXI7Oz7VKJpWSIsphZhTd
                                                                    MD5:D39CAAFE7D760990A653028B557BE78E
                                                                    SHA1:E66AEE21F07C7A2644663D7A43D27281F037760C
                                                                    SHA-256:54F962770A1F4B5B5458997766FDFD9ACBEC78947E1B7681D736218914CFA2B3
                                                                    SHA-512:10388E362B54EF4311A67104DA91CE437BCA3540D55C851510EE011B2513EA977A3510B8CC626A705D2004A9273987325043D85F3EB453884A540E0E8120AD85
                                                                    Malicious:false
                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="394984" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                    C:\Users\user\AppData\Local\DouWan\groups.conf (copy)

                                                                    Download File
                                                                    Process:C:\Program Files\douwan\DouWan.exe
                                                                    File Type:Unicode text, UTF-8 text
                                                                    Category:dropped
                                                                    Size (bytes):161
                                                                    Entropy (8bit):3.3155414058894843
                                                                    Encrypted:false
                                                                    SSDEEP:3:RXAHfFQQ/DATwxixhifFFPIjCehpvFNFqA/FUKwL4EWZF/Yv:RXA/QTwX45vFaA/FXVJav
                                                                    MD5:1A8B9DFE003812DB45A75B2E2C65CD79
                                                                    SHA1:175697EA19B4F9B4895EEE76DAC200B7E5C5BF95
                                                                    SHA-256:0E4C2ECCB528BFCE61BFF9274ACC03C9F288EDF385C60DD178E6CADE2E4A4277
                                                                    SHA-512:A59D0BC795E3C509DABD48D6AA245C232BA9C532404697A0BD601DFABB8F49F121B0B76018DAA0FD57EE8598618010B6B40C0B5717F4E0B084CD92424FD7F7FB
                                                                    Malicious:false
                                                                    Preview:{. "groups": [. {. "devUuids": [. ],. "name": "...",. "uid": 1. }. ],. "nextGrpId": 2.}.

                                                                    C:\Users\user\AppData\Local\DouWan\groups.conf.RafUQu

                                                                    Download File
                                                                    Process:C:\Program Files\douwan\DouWan.exe
                                                                    File Type:Unicode text, UTF-8 text
                                                                    Category:dropped
                                                                    Size (bytes):161
                                                                    Entropy (8bit):3.3155414058894843
                                                                    Encrypted:false
                                                                    SSDEEP:3:RXAHfFQQ/DATwxixhifFFPIjCehpvFNFqA/FUKwL4EWZF/Yv:RXA/QTwX45vFaA/FXVJav
                                                                    MD5:1A8B9DFE003812DB45A75B2E2C65CD79
                                                                    SHA1:175697EA19B4F9B4895EEE76DAC200B7E5C5BF95
                                                                    SHA-256:0E4C2ECCB528BFCE61BFF9274ACC03C9F288EDF385C60DD178E6CADE2E4A4277
                                                                    SHA-512:A59D0BC795E3C509DABD48D6AA245C232BA9C532404697A0BD601DFABB8F49F121B0B76018DAA0FD57EE8598618010B6B40C0B5717F4E0B084CD92424FD7F7FB
                                                                    Malicious:false
                                                                    Preview:{. "groups": [. {. "devUuids": [. ],. "name": "...",. "uid": 1. }. ],. "nextGrpId": 2.}.

                                                                    C:\Users\user\AppData\Local\DouWan\groups.conf.lock

                                                                    Download File
                                                                    Process:C:\Program Files\douwan\DouWan.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):59
                                                                    Entropy (8bit):4.540381195126065
                                                                    Encrypted:false
                                                                    SSDEEP:3:ovcQwS16EzUFyjT:oUQww6EzUwT
                                                                    MD5:BD5C4A0B8EB0F293DE5D7A344223050F
                                                                    SHA1:10EDA3AE2A678A90AEFE0953C175589732652FCA
                                                                    SHA-256:423AD7C67ADB2F4669B7CD9E5A4503AB0ED3D82C6DB233746BDE77A0638CD31E
                                                                    SHA-512:C48F2DE685D7B787F20C98E9123986CDB73277A8749953C75DC8165404A1F403BC54D3B353A3E95524A1C72A0414B7B9319254693244E4255CFD85E8B8AEF7C0
                                                                    Malicious:false
                                                                    Preview:6016.DouWan.user-PC.9e146be9-c76a-4720-bcdb-53011b87bd06..

                                                                    C:\Users\user\AppData\Local\DouWan\userdefaults.conf (copy)

                                                                    Download File
                                                                    Process:C:\Program Files\douwan\DouWan.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):1626
                                                                    Entropy (8bit):3.82042430749289
                                                                    Encrypted:false
                                                                    SSDEEP:24:0xrKx/jNgDkLwfaxhMsB9H2Hj6Jt6V6Q6V6p6/opDpVeHuttKL:0W/h4kLlxhMsLoLQZQ8/0l7ttKL
                                                                    MD5:6741BEF53106B911FB31B02395F67CD1
                                                                    SHA1:750E4DF2D17A45E66F4979E99AFCC1E8D2DFDBEE
                                                                    SHA-256:E3A241E54A09939FA8F245CB1993868ACD7231846CAF8762653E6C810ABF07DF
                                                                    SHA-512:05B3B9E52CC88EB3F28D949CA95FB01CA1E0DF0C57AC1B14F19EF0CA1393915D879CA1A8978D2805212AEDF136211101AD2A88B144A1736504E9CCBA055064C4
                                                                    Malicious:false
                                                                    Preview:{. "options": {. "androidDevice": {. "allowADB": false,. "keepCameraOn": false,. "systemversion": 1,. "wiredBitrate": 9,. "wiredFps": 4,. "wiredHID": true,. "wiredHIDSync": false,. "wiredMic": false,. "wiredMouseWheel": false,. "wiredResolution": 1,. "wiredTouchScreenMode": 1,. "wirelessBitrate": 2,. "wirelessFps": 3,. "wirelessMic": false,. "wirelessResolution": 3. },. "general": {. "closingAction": "askfirst",. "fullscreen": 0,. "lang": "en-us",. "mirrorwindowinitsize": 1,. "mirrorwindowpos": 0. },. "iosDevice": {. "assistantTouch": false,. "enableHID": false,. "enableQC": false,. "wiredCasting": 3,. "wiredFps": 60,. "wiredResolution": 1,. "wirelessFps":

                                                                    C:\Users\user\AppData\Local\DouWan\userdefaults.conf.QUKaGC

                                                                    Download File
                                                                    Process:C:\Program Files\douwan\DouWan.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):1626
                                                                    Entropy (8bit):3.82042430749289
                                                                    Encrypted:false
                                                                    SSDEEP:24:0xrKx/jNgDkLwfaxhMsB9H2Hj6Jt6V6Q6V6p6/opDpVeHuttKL:0W/h4kLlxhMsLoLQZQ8/0l7ttKL
                                                                    MD5:6741BEF53106B911FB31B02395F67CD1
                                                                    SHA1:750E4DF2D17A45E66F4979E99AFCC1E8D2DFDBEE
                                                                    SHA-256:E3A241E54A09939FA8F245CB1993868ACD7231846CAF8762653E6C810ABF07DF
                                                                    SHA-512:05B3B9E52CC88EB3F28D949CA95FB01CA1E0DF0C57AC1B14F19EF0CA1393915D879CA1A8978D2805212AEDF136211101AD2A88B144A1736504E9CCBA055064C4
                                                                    Malicious:false
                                                                    Preview:{. "options": {. "androidDevice": {. "allowADB": false,. "keepCameraOn": false,. "systemversion": 1,. "wiredBitrate": 9,. "wiredFps": 4,. "wiredHID": true,. "wiredHIDSync": false,. "wiredMic": false,. "wiredMouseWheel": false,. "wiredResolution": 1,. "wiredTouchScreenMode": 1,. "wirelessBitrate": 2,. "wirelessFps": 3,. "wirelessMic": false,. "wirelessResolution": 3. },. "general": {. "closingAction": "askfirst",. "fullscreen": 0,. "lang": "en-us",. "mirrorwindowinitsize": 1,. "mirrorwindowpos": 0. },. "iosDevice": {. "assistantTouch": false,. "enableHID": false,. "enableQC": false,. "wiredCasting": 3,. "wiredFps": 60,. "wiredResolution": 1,. "wirelessFps":

                                                                    C:\Users\user\AppData\Local\DouWan\userdefaults.conf.lock

                                                                    Download File
                                                                    Process:C:\Program Files\douwan\DouWan.exe
                                                                    File Type:ASCII text
                                                                    Category:dropped
                                                                    Size (bytes):59
                                                                    Entropy (8bit):4.540381195126065
                                                                    Encrypted:false
                                                                    SSDEEP:3:ovcQwS16EzUFyjT:oUQww6EzUwT
                                                                    MD5:BD5C4A0B8EB0F293DE5D7A344223050F
                                                                    SHA1:10EDA3AE2A678A90AEFE0953C175589732652FCA
                                                                    SHA-256:423AD7C67ADB2F4669B7CD9E5A4503AB0ED3D82C6DB233746BDE77A0638CD31E
                                                                    SHA-512:C48F2DE685D7B787F20C98E9123986CDB73277A8749953C75DC8165404A1F403BC54D3B353A3E95524A1C72A0414B7B9319254693244E4255CFD85E8B8AEF7C0
                                                                    Malicious:false
                                                                    Preview:6016.DouWan.user-PC.9e146be9-c76a-4720-bcdb-53011b87bd06..

                                                                    C:\Users\user\AppData\Local\Temp\libusb0.sys

                                                                    Download File
                                                                    Process:C:\Program Files\douwan\DouWan.exe
                                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):52832
                                                                    Entropy (8bit):6.452652119779142
                                                                    Encrypted:false
                                                                    SSDEEP:768:HFXl2LF1UHgnnhe8178WtnYhD+icqO3cp3RtR7QnC+ziX7BE:yConbt8wifuQRtR7QnC+zirBE
                                                                    MD5:16E18CED459B1824234890386EE66CD5
                                                                    SHA1:81D2B572EC0D24ABA11ED6BFA9174FFAD54140B7
                                                                    SHA-256:8058F2AFE6EF96A7D2DED432997FD8655970C9EA75A938EE4557D6A2CB4CC989
                                                                    SHA-512:B0E67D040D39F043305B0C172906BBEA8341F1326108F5C5A0379CD6B287D62CBD86270385713D0F6A14C5106A5A6C23F6247A303E6124CB3E33982978505C98
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........i...i...i...h...i..?....i..?....i..d....i..d....i..?....i..d....i..d....i..d....i.Rich..i.........................PE..d...O..O..........".................................................................h.......................................................d...<.......................` ......8....................................................................................text............................... ..h.rdata..T...........................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..............................@..B................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\libusbK.sys

                                                                    Download File
                                                                    Process:C:\Program Files\douwan\DouWan.exe
                                                                    File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):47928
                                                                    Entropy (8bit):6.327033250709146
                                                                    Encrypted:false
                                                                    SSDEEP:768:DpFlaIuC05+IPxXgoVer+E93hmk8P3vOUgDhw38nq3lsKgAn:D09jyNRG/3lsO
                                                                    MD5:A814FF2972F55909AAFFD943EBB0E866
                                                                    SHA1:B966AD29D209C64B3F0D879703086DF1F6121E6B
                                                                    SHA-256:1DF66FF22E2EAEC27180756D90926CA5B07E8BCF6B0E4E3C56471E63A3A05FA6
                                                                    SHA-512:37F2FE6AE0160D67709B125FF3EDCC894EFFFFD377E0086072AA96E53A5191FD67988F2A5465D24C87B41E9ED20F8AE30DA18C216A568C7BCAC6328CA2EC01B8
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e.....F...F...F.|3F...F.|(F...F...F...F..F...F..F...F.|8F...F.|.F...F..F...F.|2F...F.|/F...F.|*F...FRich...F........................PE..d..../]S.........."......x...*......d}...............................................I..........................................................P.......................8#...........................................................................................text....s.......t.................. ..h.rdata...............x..............@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..l...........................@..B................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\FindProcDLL.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):3584
                                                                    Entropy (8bit):5.1126446745821195
                                                                    Encrypted:false
                                                                    SSDEEP:48:A2DhU8UsnL0C8EA4G1zkxU5NMsH7pWIa1B3yx3s2mRUyNi7ftUgwQagqlCt/:JJnQChA4nsNMg0I8GiR+Ugxt
                                                                    MD5:B4FAF654DE4284A89EAF7D073E4E1E63
                                                                    SHA1:8EFCFD1CA648E942CBFFD27AF429784B7FCF514B
                                                                    SHA-256:C0948B2EC36A69F82C08935FAC4B212238B6792694F009B93B4BDB478C4F26E3
                                                                    SHA-512:EEF31E332BE859CF2A64C928BF3B96442F36FE51F1A372C5628264A0D4B2FC7B3E670323C8FB5FFA72DB995B8924DA2555198E7DE7B4F549D9E0F9E6DBB6B388
                                                                    Malicious:false
                                                                    Preview:MZ......................@...................................@...PE..L......M...........!......................... ...............................@............@.................................l...(............................0..........................................................H............................text............................... ..`.data........ ......................@....reloc.......0......................@..B...................................................................................................."...8...L...`...l...~...............................6.0.7...0...1...1.0.0...GetProcessImageFileNameW....GetModuleFileNameExW....EnumProcessModules..QueryFullProcessImageNameW..6.0.5...P.S.A.P.I...D.L.L...EnumProcesses...k.e.r.n.e.l.3.2...d.l.l.....6.0.6...............U... ..V..t(.0..t".F.P.u............ ..V........3...3.@^].. ....t.P.......%. ....U..H)........e...e..SVW......P...........@.....u.h.....C............1..... ....<.....u.h....... ...58........WP..

                                                                    C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\InstallOptions.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):15872
                                                                    Entropy (8bit):5.471605464941094
                                                                    Encrypted:false
                                                                    SSDEEP:384:EFC43tPegZ3eBaRwCPOYY7nNYXCg/Yosa:EMTgZ3eBTCmrnNAo
                                                                    MD5:0A9FB96A7579B685EC36B17FC354E6A3
                                                                    SHA1:355754104DD47D5FCF8918DEE0DC2E2EE53390A6
                                                                    SHA-256:B34FB342F21D690AAC024B6F48A597E78D15791EF480AC55159CD585D0F64AF7
                                                                    SHA-512:67870206FA7F1E7DF45C8C1BC2F51FB430F0A048A2BDB55A4A41525388CA3B50203784537F139169705A03DB4BB13B591162A79A5D2DF81A4D11FD849615C86B
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.px.q.+.q.+.q.+.q.+[q.+.~C+.q.+^R.+.q.+^R/+.q.+.w.+.q.+.Q.+.q.+Rich.q.+........PE..L.....$_...........!.........`.......+.......0............................................@..........................8......X1..................................X....................................................0..X............................text............................... ..`.rdata..G....0......."..............@..@.data...DL...@.......,..............@....rsrc................6..............@..@.reloc..x............8..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\System.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):12288
                                                                    Entropy (8bit):5.737874809466366
                                                                    Encrypted:false
                                                                    SSDEEP:192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL
                                                                    MD5:564BB0373067E1785CBA7E4C24AAB4BF
                                                                    SHA1:7C9416A01D821B10B2EEF97B80899D24014D6FC1
                                                                    SHA-256:7A9DDEE34562CD3703F1502B5C70E99CD5BBA15DE2B6845A3555033D7F6CB2A5
                                                                    SHA-512:22C61A323CB9293D7EC5C7E7E60674D0E2F7B29D55BE25EB3C128EA2CD7440A1400CEE17C43896B996278007C0D247F331A9B8964E3A40A0EB1404A9596C4472
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....$_...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\ioSpecial.ini

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1312
                                                                    Entropy (8bit):3.688419121605277
                                                                    Encrypted:false
                                                                    SSDEEP:24:Q+sxvtSSAD5ylSjqWCs7y6J9aZe9nO/6k8lPKCxG5wCk68Yp9XaH65Otw9C+nj:rsx9AQSjqQz9aZbN8l5GuyXaNqb
                                                                    MD5:40A6C6D370BF07B684962747FA0631C5
                                                                    SHA1:4E79422C60639628513D1F04C5A35A4F101BDBE7
                                                                    SHA-256:D01FE0041D4C5A926961461E6B59A418A5C223D1AE6CC80F6C041C71CBC165A3
                                                                    SHA-512:426F472FAFB6E4D926A973E3C725E97D642EC296A4479A81B8A2FB6EBECF60CAC92EE6AE9541884465C17D1F2C8E1B41D1100AE59C7FB5E443831531E20A8388
                                                                    Malicious:false
                                                                    Preview:..[.S.e.t.t.i.n.g.s.].....R.e.c.t.=.1.0.4.4.....N.u.m.F.i.e.l.d.s.=.4.....R.T.L.=.0.....N.e.x.t.B.u.t.t.o.n.T.e.x.t.=.&.F.i.n.i.s.h.....C.a.n.c.e.l.E.n.a.b.l.e.d.=.....S.t.a.t.e.=.0.....[.F.i.e.l.d. .1.].....T.y.p.e.=.b.i.t.m.a.p.....L.e.f.t.=.0.....R.i.g.h.t.=.1.0.9.....T.o.p.=.0.....B.o.t.t.o.m.=.1.9.3.....F.l.a.g.s.=.R.E.S.I.Z.E.T.O.F.I.T.....T.e.x.t.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.a.F.D.8.1...t.m.p.\.m.o.d.e.r.n.-.w.i.z.a.r.d...b.m.p.....H.W.N.D.=.5.2.4.9.4.6.....[.F.i.e.l.d. .2.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.1.0.....T.e.x.t.=.C.o.m.p.l.e.t.i.n.g. .D.o.u.W.a.n. .4...3...0...3. .S.e.t.u.p.....B.o.t.t.o.m.=.3.8.....H.W.N.D.=.3.2.8.8.0.6.....[.F.i.e.l.d. .3.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.4.5.....B.o.t.t.o.m.=.8.5.....T.e.x.t.=.D.o.u.W.a.n. .4...3...0...3. .h.a.s. .b.e.e.n. .i.n.s.t.a.l.l.e.d. .o.n. .y.o.u.r. .c.o.m.p.u.t.e.r...\.r.\.n.\.r.\.n.C.l.

                                                                    C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\modern-wizard.bmp

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
                                                                    Category:dropped
                                                                    Size (bytes):26494
                                                                    Entropy (8bit):1.9568109962493656
                                                                    Encrypted:false
                                                                    SSDEEP:24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
                                                                    MD5:CBE40FD2B1EC96DAEDC65DA172D90022
                                                                    SHA1:366C216220AA4329DFF6C485FD0E9B0F4F0A7944
                                                                    SHA-256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
                                                                    SHA-512:62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
                                                                    Malicious:false
                                                                    Preview:BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

                                                                    C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\nsExec.dll

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):7168
                                                                    Entropy (8bit):5.260607917694217
                                                                    Encrypted:false
                                                                    SSDEEP:96:JXmkmwmHDqaRrlfAF4IUIqhmKv6vBckXK9wSBl8gvElHturnNQaSGYuHr2DCP:JAjRrlfA6Nv6eWIElNurnNQZGdHc
                                                                    MD5:4C77A65BB121BB7F2910C1FA3CB38337
                                                                    SHA1:94531E3C6255125C1A85653174737D275BC35838
                                                                    SHA-256:5E66489393F159AA0FD30B630BB345D03418E9324E7D834B2E4195865A637CFE
                                                                    SHA-512:DF50EADF312469C56996C67007D31B85D00E91A4F40355E786536FC0336AC9C2FD8AD9DF6E65AB390CC6F031ACA28C92212EA23CC40EB600B82A63BE3B5B8C04
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....$_...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\winusbcoinstaller2.dll

                                                                    Download File
                                                                    Process:C:\Program Files\douwan\DouWan.exe
                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1002728
                                                                    Entropy (8bit):7.9188668904013815
                                                                    Encrypted:false
                                                                    SSDEEP:24576:aAEBXzGJ7fW6hHv62VYeL7WCE3wixdLZWQzMjp:uBXQz/hPzxRwPdcO
                                                                    MD5:246900CE6474718730ECD4F873234CF5
                                                                    SHA1:0C84B56C82E4624824154D27926DED1C45F4B331
                                                                    SHA-256:981A17EFFDDBC20377512DDAEC9F22C2B7067E17A3E2A8CCF82BB7BB7B2420B6
                                                                    SHA-512:6A9E305BFBFB57D8F8FD16EDABEF9291A8A97E4B9C2AE90622F6C056E518A0A731FBB3E33A2591D87C8E4293D0F983EC515E6A241792962257B82401A8811D5C
                                                                    Malicious:false
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L..............8............>....../.-....(.T....9......!......?......:....Rich...........PE..d.....[J.........." ................ {....................................................@.........................................@.......8...P....p.......`.......4..................................................................(............................text............................... ..`.data....:... ......................@....pdata.......`....... ..............@..@.rsrc........p.......*..............@..@.reloc..D............0..............@..B................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\xindawn_list.log

                                                                    Download File
                                                                    Process:C:\Program Files\douwan\DouWan.exe
                                                                    File Type:ASCII text, with very long lines (376), with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):4408
                                                                    Entropy (8bit):5.184939524005975
                                                                    Encrypted:false
                                                                    SSDEEP:48:wjH1js+Pc18KdsjH1Ks+PcA8KdTjH1hs+Pc38KdTjH1hs+Pc38Kd6:wt6W4Ttvstvsg
                                                                    MD5:1300522DCC94D26663FFA33CD0589C3C
                                                                    SHA1:301D4A72A5CC5E4F30B640144E399E2229E072BA
                                                                    SHA-256:30D7FFEE30D403DCC867BB332FBFF53FDB054C3AAD4971CD3938A07AEF594F44
                                                                    SHA-512:A6D39B4080EA4746E6D14CD66306D986A0C005AFC6DE4D1C9FC3447F9BDE70A4E648E7299051C4A76791117383E7F99B0DAAB0A5C34C900CB5A030955D908EF5
                                                                    Malicious:false
                                                                    Preview:2024-07-03 12:01:21 info->pid = 0003 info->vid = 0e0f info->mi=1 info->is_composite=1 info->desc=VMware (Interface 1) info->driver=HidUsb info->device_id = USB\VID_0E0F&PID_0003&MI_01\6&13A33973&0&0001 info->hardware_id=USB\VID_0E0F&PID_0003&REV_0102&MI_01 info->device_desc = USB Input Device , info->mfg = (Standard system devices) vendor_name=VMWare, Inc. ..2024-07-03 12:01:21 info->pid = 0003 info->vid = 0e0f info->mi=0 info->is_composite=0 info->desc=VMware Virtual USB Mouse (Composite Parent) info->driver=usbccgp info->device_id = USB\VID_0E0F&PID_0003\5&2DDA038&0&5 info->hardware_id=USB\VID_0E0F&PID_0003&REV_0102 info->device_desc = USB Composite Device , info->mfg = (Standard USB Host Controller) vendor_name=VMWare, Inc. ..2024-07-03 12:01:21 info->pid = 0003 info->vid = 0e0f info->mi=0 info->is_composite=1 info->desc=VMware (Interface 0) info->driver=HidUsb info->device_id = USB\VID_0E0F&PID_0003&MI_00\6&13A33973&0&0000 info->hardware_id=USB\VID_0E0F&PID_0003&REV_0102&MI_00 info

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DouWan\DouWan.lnk

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Apr 28 02:59:08 2024, mtime=Wed Jul 3 15:00:48 2024, atime=Sun Apr 28 02:59:08 2024, length=19631720, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):861
                                                                    Entropy (8bit):4.554216179093984
                                                                    Encrypted:false
                                                                    SSDEEP:12:8m/6lYXvZ1h9VZdpF441Ho77+8KNyhlCjAVbdp7kl3bdpQrBmV:8mRZBdRC7WNyCAZdVidqrBm
                                                                    MD5:7F723478ECAC29E0FC83E94919167DD7
                                                                    SHA1:70625374388786F3CB14AB6C409A4B0436CFF6FF
                                                                    SHA-256:6A078C52DA5D5BD7CC61820BB48A5B449BAA6D9E18B741D868A933BDFF81CBD1
                                                                    SHA-512:7E953BBBFD42FBCEBFF92A292299B73E937C8A0472F9F6D64416ED0E1D33454311E8FCA26C93FF718BFCAAAA6A30BC9A7A524CE00502C3F3A48573BECC570516
                                                                    Malicious:false
                                                                    Preview:L..................F.... ....N[k ...5..+b....N[k ...h.+.....................o....P.O. .:i.....+00.../C:\.....................1......X....PROGRA~1..t......O.I.X......B...............J.....c...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1......X#...douwan..>.......X...X#...........................9.'.d.o.u.w.a.n.....`.2.h.+..Xd. .DouWan.exe..F......Xd..X......E.........................D.o.u.W.a.n...e.x.e.......Q...............-.......P............cj......C:\Program Files\douwan\DouWan.exe..:.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.d.o.u.w.a.n.\.D.o.u.W.a.n...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.d.o.u.w.a.n.`.......X.......704672...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DouWan\Uninstall DouWan.lnk

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):579
                                                                    Entropy (8bit):2.7588061287768566
                                                                    Encrypted:false
                                                                    SSDEEP:6:4xtCl0RMl//A9LY/dlrtolXFHCcIelQMy0fK1KRSAt0bdlrknel4RSAIbdlrknez:8wl0RkXXdp+XFHbDK4MbdpiSbdpT
                                                                    MD5:C0CAF4EA066A40169E5ECE2BAA8777D4
                                                                    SHA1:90B97C8C4C9C1E6FADC59F422D4245B4BE893CBA
                                                                    SHA-256:311B4EF1DAF8350FFBAFCC92F74CE66D20A76F00A0AA5C31EB0ECDCACBF4DDD9
                                                                    SHA-512:65780DC3A394DA155B9B402CE604DCAA2E1A3337F1AE6F46285667A49C325927763FF4295803985230AB7F6AAC9F51FC26709B0F06B8D1D0DEB9C1B058732274
                                                                    Malicious:false
                                                                    Preview:L..................F........................................................K....P.O. .:i.....+00.../C:\...................h.1...........Program Files.L............................................P.r.o.g.r.a.m. .F.i.l.e.s.....T.1...........douwan..>............................................d.o.u.w.a.n.....`.2...........uninst.exe..F............................................u.n.i.n.s.t...e.x.e.......:.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.d.o.u.w.a.n.\.u.n.i.n.s.t...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.d.o.u.w.a.n.....

                                                                    C:\Users\user\Desktop\DouWan.lnk

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Apr 28 02:59:08 2024, mtime=Wed Jul 3 15:01:05 2024, atime=Sun Apr 28 02:59:08 2024, length=19631720, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):825
                                                                    Entropy (8bit):4.609733828711024
                                                                    Encrypted:false
                                                                    SSDEEP:12:8mc6lYXvZ1h9VZdpF441Ho77+8KNyhlCjAHbdp7kl3bdpQrBmV:8mSZBdRC7WNyCA7dVidqrBm
                                                                    MD5:10D75434A8205CA7D4D71233F939ED62
                                                                    SHA1:84F2DE50C03A436378374CA20117801C31D3BBEE
                                                                    SHA-256:C090FD38D519959F02C9022D1374AAA2D6AEBA2490DA0769F09E10648B0B5E0F
                                                                    SHA-512:4AFBD03B740C9EAA66A412604529080007973191F52C81E4B621A0311B63B88A06C0950727A09238F611E51364E0A8DFA34E95FF2B4EC990D5AF31E5AD21DD25
                                                                    Malicious:false
                                                                    Preview:L..................F.... ....N[k ....O.6b....N[k ...h.+.....................o....P.O. .:i.....+00.../C:\.....................1......X....PROGRA~1..t......O.I.X......B...............J.....c...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1......X#...douwan..>.......X...X#...........................9.'.d.o.u.w.a.n.....`.2.h.+..Xd. .DouWan.exe..F......Xd..X......E.........................D.o.u.W.a.n...e.x.e.......Q...............-.......P............cj......C:\Program Files\douwan\DouWan.exe..(.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.d.o.u.w.a.n.\.D.o.u.W.a.n...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.d.o.u.w.a.n.`.......X.......704672...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                    Download File
                                                                    Process:C:\Windows\System32\WerFault.exe
                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                    Category:dropped
                                                                    Size (bytes):1835008
                                                                    Entropy (8bit):4.465584360683333
                                                                    Encrypted:false
                                                                    SSDEEP:6144:0IXfpi67eLPU9skLmb0b4PWSPKaJG8nAgejZMMhA2gX4WABl0uNBdwBCswSba:JXD94PWlLZMM6YFH3+a
                                                                    MD5:884F41FB3CEC262BB8776FAF6273B277
                                                                    SHA1:0233F273DCFCDDAE90DCFF3A2BE0D83D06C10DA9
                                                                    SHA-256:F71F271218ACA29C902CF20B60E6F9051654C69CA1EB9D4C0E665B7C43E304A5
                                                                    SHA-512:3EFE1E9B285A89C4D7EB661333F9FE56296ABB04741EE2D5A0C552AFE8D3B0994D330DB72056DAE3BBD2B752CEF0562DA0CE215D7308A486A2B958C2FB8C1565
                                                                    Malicious:false
                                                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmB..Ab..................................................................................................................................................................................................................................................................................................................................................u........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                    Entropy (8bit):7.99871208371639
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    File size:46'547'184 bytes
                                                                    MD5:54f1dfbda1d18a3cdb6055546d45dc84
                                                                    SHA1:3ff5de326326a96db424dd27df20d1d855a61570
                                                                    SHA256:d6916e1f1e375b82dcdde615a6fdadeadda98788ce084812ccd6ba133b8a447c
                                                                    SHA512:ff52a50f5c2dbcd62ec29106bbd6b787d5fa136d380b6ec807204d6de7f3ba0e9b05d5f25bf5761b452d03189bda6bb3425450625563c6de1be7c906587f4d3e
                                                                    SSDEEP:786432:NZXOkn1Uliz84Hf+hs5zPv4ndbWo12/6KdvzN3i/GKP8RtQb1/zrV:NZfUinGhAzX4dbZMB2CtQh/zp
                                                                    TLSH:4AA733A45DB59FCAF41788BF89D9AFA9C4B6DCB019A2425054F0354F8A3FF0E1C889C5
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....$_.................f...*.....

                                                                    File Icon

                                                                    Icon Hash:69d4ded4d0b2cc23

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x40348f
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:true
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x5F24D6C5 [Sat Aug 1 02:43:17 2020 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:6e7f9a29f2c85394521a08b9f31f6275

                                                                    Authenticode Signature

                                                                    Signature Valid:true
                                                                    Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                    Signature Validation Error:The operation completed successfully
                                                                    Error Number:0
                                                                    Not Before, Not After
                                                                    • 19/04/2023 08:19:47 27/06/2026 09:53:27
                                                                    Subject Chain
                                                                    • CN=\u5317\u4eac\u5b87\u8fb0\u4e92\u8054\u79d1\u6280\u6709\u9650\u516c\u53f8, O=\u5317\u4eac\u5b87\u8fb0\u4e92\u8054\u79d1\u6280\u6709\u9650\u516c\u53f8, STREET=\u77f3\u666f\u5c71\u533a\u53e4\u57ce\u5357\u88579\u53f7\u96625\u53f7\u697c7\u5c42706, L=Beijing, S=Beijing, C=CN, OID.1.3.6.1.4.1.311.60.2.1.2=BEIJING, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91110107MA009U219W, OID.2.5.4.15=Private Organization
                                                                    Version:3
                                                                    Thumbprint MD5:06627C971B93662F9259702FDEADF48B
                                                                    Thumbprint SHA-1:47F2C49170F68331FD6B28D2353E060D790A44E4
                                                                    Thumbprint SHA-256:2CDA87EC235D0B76DE60580347BE28579D9AE8E85380C08F6F2F93351A4003B0
                                                                    Serial:237091ECDF580FAD426C62F6

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    sub esp, 000002D4h
                                                                    push ebx
                                                                    push esi
                                                                    push edi
                                                                    push 00000020h
                                                                    pop edi
                                                                    xor ebx, ebx
                                                                    push 00008001h
                                                                    mov dword ptr [esp+14h], ebx
                                                                    mov dword ptr [esp+10h], 0040A2E0h
                                                                    mov dword ptr [esp+1Ch], ebx
                                                                    call dword ptr [004080CCh]
                                                                    call dword ptr [004080D0h]
                                                                    and eax, BFFFFFFFh
                                                                    cmp ax, 00000006h
                                                                    mov dword ptr [0042A22Ch], eax
                                                                    je 00007F395D3D21E3h
                                                                    push ebx
                                                                    call 00007F395D3D54D1h
                                                                    cmp eax, ebx
                                                                    je 00007F395D3D21D9h
                                                                    push 00000C00h
                                                                    call eax
                                                                    mov esi, 004082B0h
                                                                    push esi
                                                                    call 00007F395D3D544Bh
                                                                    push esi
                                                                    call dword ptr [00408154h]
                                                                    lea esi, dword ptr [esi+eax+01h]
                                                                    cmp byte ptr [esi], 00000000h
                                                                    jne 00007F395D3D21BCh
                                                                    push 0000000Bh
                                                                    call 00007F395D3D54A4h
                                                                    push 00000009h
                                                                    call 00007F395D3D549Dh
                                                                    push 00000007h
                                                                    mov dword ptr [0042A224h], eax
                                                                    call 00007F395D3D5491h
                                                                    cmp eax, ebx
                                                                    je 00007F395D3D21E1h
                                                                    push 0000001Eh
                                                                    call eax
                                                                    test eax, eax
                                                                    je 00007F395D3D21D9h
                                                                    or byte ptr [0042A22Fh], 00000040h
                                                                    push ebp
                                                                    call dword ptr [00408038h]
                                                                    push ebx
                                                                    call dword ptr [00408298h]
                                                                    mov dword ptr [0042A2F8h], eax
                                                                    push ebx
                                                                    lea eax, dword ptr [esp+34h]
                                                                    push 000002B4h
                                                                    push eax
                                                                    push ebx
                                                                    push 004216C8h
                                                                    call dword ptr [0040818Ch]
                                                                    push 0040A2C8h

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [EXP] VC++ 6.0 SP5 build 8804

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x400000x5c950.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x2c5da880x6668
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x64110x66001be075c408f39c844a297d85521f5b93False0.6545266544117647data6.40243296676441IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x80000x13980x1400e3e8d62e1d2308b175349eb9daa266c8False0.4494140625data5.137750894959169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xa0000x203380x60092925084f722469459e6111e8ee4a9d0False0.5013020833333334data4.020801365171916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .ndata0x2b0000x150000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0x400000x5c9500x5ca00b57099a9f32dfb939449459a7e9dbd97False0.08415306595816464data5.111720696371613IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0x404600x42028Device independent bitmap graphic, 256 x 512 x 32, image size 524288EnglishUnited States0.05065538361393023
                                                                    RT_ICON0x824880x10828Device independent bitmap graphic, 128 x 256 x 32, image size 131072EnglishUnited States0.10784632674790015
                                                                    RT_ICON0x92cb00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 32768EnglishUnited States0.20807746811525743
                                                                    RT_ICON0x96ed80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 18432EnglishUnited States0.22821576763485477
                                                                    RT_ICON0x994800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 8192EnglishUnited States0.3874296435272045
                                                                    RT_ICON0x9a5280x988Device independent bitmap graphic, 24 x 48 x 32, image size 4608EnglishUnited States0.43565573770491806
                                                                    RT_ICON0x9aeb00x468Device independent bitmap graphic, 16 x 32 x 32, image size 2048EnglishUnited States0.6453900709219859
                                                                    RT_DIALOG0x9b3180x120dataEnglishUnited States0.5138888888888888
                                                                    RT_DIALOG0x9b4380x202dataEnglishUnited States0.4085603112840467
                                                                    RT_DIALOG0x9b6400xf8dataEnglishUnited States0.6290322580645161
                                                                    RT_DIALOG0x9b7380xd4dataEnglishUnited States0.5990566037735849
                                                                    RT_DIALOG0x9b8100xeedataEnglishUnited States0.6260504201680672
                                                                    RT_DIALOG0x9b9000x10cdataEnglishUnited States0.5111940298507462
                                                                    RT_DIALOG0x9ba100x1eedataEnglishUnited States0.3866396761133603
                                                                    RT_DIALOG0x9bc000xe4dataEnglishUnited States0.6359649122807017
                                                                    RT_DIALOG0x9bce80xc0dataEnglishUnited States0.5885416666666666
                                                                    RT_DIALOG0x9bda80xdadataEnglishUnited States0.6376146788990825
                                                                    RT_GROUP_ICON0x9be880x68dataEnglishUnited States0.7403846153846154
                                                                    RT_VERSION0x9bef00x360dataEnglishUnited States0.4224537037037037
                                                                    RT_VERSION0x9c2500x2d0dataChineseChina0.5055555555555555
                                                                    RT_MANIFEST0x9c5200x430XML 1.0 document, ASCII text, with very long lines (1072), with no line terminatorsEnglishUnited States0.5139925373134329

                                                                    Imports

                                                                    DLLImport
                                                                    ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                                                                    SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                                                                    ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                                                                    COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                    USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                                                                    GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                    KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishUnited States
                                                                    ChineseChina

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jul 3, 2024 18:00:24.744889975 CEST49675443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:00:34.354310036 CEST49675443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:00:47.072992086 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:47.073040962 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:47.073122978 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:47.075304985 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:47.075320959 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:47.897694111 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:47.897793055 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:47.916843891 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:47.916881084 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:47.917334080 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:47.963572025 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:49.036638021 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:49.059715986 CEST4972380192.168.2.4199.232.214.172
                                                                    Jul 3, 2024 18:00:49.065495014 CEST8049723199.232.214.172192.168.2.4
                                                                    Jul 3, 2024 18:00:49.065582037 CEST4972380192.168.2.4199.232.214.172
                                                                    Jul 3, 2024 18:00:49.084503889 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:49.301095963 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:49.301121950 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:49.301130056 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:49.301140070 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:49.301168919 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:49.301250935 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:49.301280022 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:49.301330090 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:49.301877022 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:49.301937103 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:49.301944017 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:49.301958084 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:49.302002907 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:50.014765978 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:50.014802933 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:00:50.014823914 CEST49732443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:00:50.014831066 CEST4434973220.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:13.804686069 CEST4973080192.168.2.4151.101.66.133
                                                                    Jul 3, 2024 18:01:13.804743052 CEST4973180192.168.2.4151.101.130.133
                                                                    Jul 3, 2024 18:01:13.810015917 CEST8049730151.101.66.133192.168.2.4
                                                                    Jul 3, 2024 18:01:13.810184956 CEST4973080192.168.2.4151.101.66.133
                                                                    Jul 3, 2024 18:01:13.810997963 CEST8049731151.101.130.133192.168.2.4
                                                                    Jul 3, 2024 18:01:13.811055899 CEST4973180192.168.2.4151.101.130.133
                                                                    Jul 3, 2024 18:01:13.965873957 CEST49738443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:13.965920925 CEST44349738101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:13.965996981 CEST49738443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:13.977783918 CEST49738443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:13.977797985 CEST44349738101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:16.138066053 CEST49672443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:16.138885021 CEST49739443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:16.138917923 CEST44349739173.222.162.32192.168.2.4
                                                                    Jul 3, 2024 18:01:16.138991117 CEST49739443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:16.139290094 CEST49739443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:16.139306068 CEST44349739173.222.162.32192.168.2.4
                                                                    Jul 3, 2024 18:01:16.208750010 CEST44349738101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:16.210037947 CEST49738443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:16.210057974 CEST44349738101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:16.211169958 CEST44349738101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:16.211236000 CEST49738443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:16.212785006 CEST49738443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:16.212871075 CEST44349738101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:16.213393927 CEST49738443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:16.213401079 CEST44349738101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:16.214014053 CEST49738443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:16.256508112 CEST44349738101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:16.442362070 CEST49672443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:16.816334963 CEST44349739173.222.162.32192.168.2.4
                                                                    Jul 3, 2024 18:01:16.816412926 CEST49739443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:17.047226906 CEST49672443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:17.081657887 CEST44349738101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:17.083093882 CEST44349738101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:17.083147049 CEST49738443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:17.083436966 CEST49738443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:17.083456993 CEST44349738101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:17.536190033 CEST4974080192.168.2.447.104.158.224
                                                                    Jul 3, 2024 18:01:17.544198036 CEST804974047.104.158.224192.168.2.4
                                                                    Jul 3, 2024 18:01:17.544264078 CEST4974080192.168.2.447.104.158.224
                                                                    Jul 3, 2024 18:01:17.544353008 CEST4974080192.168.2.447.104.158.224
                                                                    Jul 3, 2024 18:01:17.549169064 CEST804974047.104.158.224192.168.2.4
                                                                    Jul 3, 2024 18:01:18.263103008 CEST49672443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:18.682147980 CEST804974047.104.158.224192.168.2.4
                                                                    Jul 3, 2024 18:01:18.682272911 CEST804974047.104.158.224192.168.2.4
                                                                    Jul 3, 2024 18:01:18.682347059 CEST4974080192.168.2.447.104.158.224
                                                                    Jul 3, 2024 18:01:18.682447910 CEST4974080192.168.2.447.104.158.224
                                                                    Jul 3, 2024 18:01:18.683257103 CEST4974180192.168.2.447.104.158.224
                                                                    Jul 3, 2024 18:01:18.687346935 CEST804974047.104.158.224192.168.2.4
                                                                    Jul 3, 2024 18:01:18.688131094 CEST804974147.104.158.224192.168.2.4
                                                                    Jul 3, 2024 18:01:18.688211918 CEST4974180192.168.2.447.104.158.224
                                                                    Jul 3, 2024 18:01:18.688290119 CEST4974180192.168.2.447.104.158.224
                                                                    Jul 3, 2024 18:01:18.693378925 CEST804974147.104.158.224192.168.2.4
                                                                    Jul 3, 2024 18:01:19.711366892 CEST804974147.104.158.224192.168.2.4
                                                                    Jul 3, 2024 18:01:19.711822033 CEST804974147.104.158.224192.168.2.4
                                                                    Jul 3, 2024 18:01:19.711836100 CEST804974147.104.158.224192.168.2.4
                                                                    Jul 3, 2024 18:01:19.711890936 CEST4974180192.168.2.447.104.158.224
                                                                    Jul 3, 2024 18:01:19.711955070 CEST4974180192.168.2.447.104.158.224
                                                                    Jul 3, 2024 18:01:19.711990118 CEST4974180192.168.2.447.104.158.224
                                                                    Jul 3, 2024 18:01:19.717694998 CEST804974147.104.158.224192.168.2.4
                                                                    Jul 3, 2024 18:01:20.670200109 CEST49672443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:22.416034937 CEST49747443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:22.416081905 CEST44349747101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:22.416325092 CEST49747443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:22.417217016 CEST49747443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:22.417234898 CEST44349747101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:23.763484001 CEST44349747101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:23.766938925 CEST49747443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:23.766963959 CEST44349747101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:23.768106937 CEST44349747101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:23.768167019 CEST49747443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:23.769872904 CEST49747443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:23.770003080 CEST44349747101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:23.770241022 CEST49747443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:23.770248890 CEST44349747101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:23.770757914 CEST49747443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:23.816508055 CEST44349747101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:24.471285105 CEST44349747101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:24.471481085 CEST44349747101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:24.471551895 CEST49747443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:24.471926928 CEST49747443192.168.2.4101.200.59.29
                                                                    Jul 3, 2024 18:01:24.471940041 CEST44349747101.200.59.29192.168.2.4
                                                                    Jul 3, 2024 18:01:25.474518061 CEST49672443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:25.509977102 CEST49755443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:25.510010004 CEST44349755184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:25.510103941 CEST49755443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:25.511687040 CEST49755443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:25.511698008 CEST44349755184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:26.159879923 CEST44349755184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:26.159943104 CEST49755443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:26.179694891 CEST49755443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:26.179713011 CEST44349755184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:26.179977894 CEST44349755184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:26.234199047 CEST49755443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:26.263330936 CEST49755443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:26.308497906 CEST44349755184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:26.344366074 CEST49756443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:26.344417095 CEST4434975640.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:26.344496012 CEST49756443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:26.344975948 CEST49756443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:26.344993114 CEST4434975640.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:26.450644016 CEST44349755184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:26.450710058 CEST44349755184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:26.450756073 CEST49755443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:26.450858116 CEST49755443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:26.450874090 CEST44349755184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:26.492505074 CEST49757443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:26.492535114 CEST44349757184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:26.492609978 CEST49757443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:26.492856026 CEST49757443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:26.492866039 CEST44349757184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:26.645205975 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:26.645256042 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:26.645325899 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:26.645678997 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:26.645692110 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.106461048 CEST4434975640.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:27.106547117 CEST49756443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:27.119148970 CEST49756443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:27.119179964 CEST4434975640.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:27.119452953 CEST4434975640.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:27.120157003 CEST49756443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:27.120260000 CEST49756443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:27.120285988 CEST4434975640.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:27.144925117 CEST44349757184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:27.145030975 CEST49757443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:27.146356106 CEST49757443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:27.146373987 CEST44349757184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:27.146629095 CEST44349757184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:27.147638083 CEST49757443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:27.188497066 CEST44349757184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:27.424701929 CEST44349757184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:27.424774885 CEST44349757184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:27.424983978 CEST49757443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:27.427261114 CEST49757443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:27.427283049 CEST44349757184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:27.427299023 CEST49757443192.168.2.4184.28.90.27
                                                                    Jul 3, 2024 18:01:27.427309036 CEST44349757184.28.90.27192.168.2.4
                                                                    Jul 3, 2024 18:01:27.428045034 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.428138018 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:27.431359053 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:27.431368113 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.431652069 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.435816050 CEST4434975640.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:27.435971022 CEST4434975640.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:27.436238050 CEST49756443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:27.445503950 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:27.445992947 CEST49756443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:27.445992947 CEST49756443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:27.446014881 CEST4434975640.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:27.446029902 CEST4434975640.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:27.492516994 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.758618116 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.758655071 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.758671045 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.758725882 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:27.758754969 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.758805037 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:27.760251045 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.760288000 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.760291100 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:27.760324001 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:27.760332108 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.760346889 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:27.760354042 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.760396004 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:27.765010118 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:27.765027046 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.765038013 CEST49758443192.168.2.420.114.59.183
                                                                    Jul 3, 2024 18:01:27.765043020 CEST4434975820.114.59.183192.168.2.4
                                                                    Jul 3, 2024 18:01:27.765712023 CEST49759443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:27.765757084 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:27.765813112 CEST49759443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:27.766453028 CEST49759443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:27.766464949 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:28.523092985 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:28.523730993 CEST49759443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:28.523782015 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:28.524661064 CEST49759443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:28.524678946 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:28.524724960 CEST49759443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:28.524749994 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:31.486479998 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:31.486522913 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:31.486545086 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:31.486701012 CEST49759443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:31.486732960 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:31.486824989 CEST49759443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:31.487281084 CEST49759443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:31.487298965 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:31.487310886 CEST49759443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:31.487317085 CEST4434975940.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:31.603404045 CEST49760443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:31.603444099 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:31.603549957 CEST49760443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:31.603782892 CEST49760443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:31.603796005 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:32.401487112 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:32.402471066 CEST49760443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:32.402502060 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:32.403156042 CEST49760443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:32.403156042 CEST49760443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:32.403165102 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:32.403178930 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.096807003 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.096839905 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.096884012 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.096965075 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.097078085 CEST49760443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:33.097115040 CEST49760443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:33.097804070 CEST49760443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:33.097822905 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.097835064 CEST49760443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:33.097841024 CEST4434976040.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.137535095 CEST49761443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:33.137592077 CEST4434976140.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.137717009 CEST49761443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:33.137912989 CEST49761443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:33.137929916 CEST4434976140.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.921226978 CEST4434976140.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.921689034 CEST49761443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:33.921717882 CEST4434976140.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.922302961 CEST49761443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:33.922308922 CEST4434976140.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:33.922473907 CEST49761443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:33.922482967 CEST4434976140.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:34.292711973 CEST4434976140.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:34.292736053 CEST4434976140.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:34.292813063 CEST4434976140.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:34.292834997 CEST49761443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:34.292889118 CEST49761443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:34.293173075 CEST49761443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:34.293198109 CEST4434976140.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:34.293215036 CEST49761443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:34.293220997 CEST4434976140.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:34.319350004 CEST49762443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:34.319401979 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:34.319519043 CEST49762443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:34.319717884 CEST49762443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:34.319726944 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:34.424700022 CEST4972480192.168.2.4199.232.214.172
                                                                    Jul 3, 2024 18:01:34.429847002 CEST8049724199.232.214.172192.168.2.4
                                                                    Jul 3, 2024 18:01:34.432657957 CEST4972480192.168.2.4199.232.214.172
                                                                    Jul 3, 2024 18:01:35.077419996 CEST49672443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:35.121536970 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.122261047 CEST49762443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:35.122279882 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.122924089 CEST49762443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:35.122931004 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.123017073 CEST49762443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:35.123025894 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.814121962 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.814151049 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.814192057 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.814249992 CEST49762443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:35.814260006 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.814310074 CEST49762443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:35.814543009 CEST49762443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:35.814564943 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.814575911 CEST49762443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:35.814583063 CEST4434976240.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.835180044 CEST49763443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:35.835230112 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.835340023 CEST49763443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:35.835475922 CEST49763443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:35.835484982 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:35.986012936 CEST44349739173.222.162.32192.168.2.4
                                                                    Jul 3, 2024 18:01:35.986133099 CEST49739443192.168.2.4173.222.162.32
                                                                    Jul 3, 2024 18:01:36.620304108 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:36.620989084 CEST49763443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:36.621023893 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:36.621613026 CEST49763443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:36.621618032 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:36.621665001 CEST49763443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:36.621674061 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:36.971734047 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:36.971765995 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:36.971807003 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:36.971888065 CEST49763443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:36.971920013 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:36.971936941 CEST49763443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:36.971991062 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:36.972033024 CEST49763443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:36.972278118 CEST49763443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:36.972296953 CEST4434976340.126.31.73192.168.2.4
                                                                    Jul 3, 2024 18:01:36.972306967 CEST49763443192.168.2.440.126.31.73
                                                                    Jul 3, 2024 18:01:36.972312927 CEST4434976340.126.31.73192.168.2.4

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jul 3, 2024 18:00:45.925508022 CEST138138192.168.2.4192.168.2.255
                                                                    Jul 3, 2024 18:01:13.731592894 CEST5004553192.168.2.41.1.1.1
                                                                    Jul 3, 2024 18:01:13.961229086 CEST53500451.1.1.1192.168.2.4
                                                                    Jul 3, 2024 18:01:17.365981102 CEST5966953192.168.2.41.1.1.1
                                                                    Jul 3, 2024 18:01:17.535590887 CEST53596691.1.1.1192.168.2.4

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Jul 3, 2024 18:01:13.731592894 CEST192.168.2.41.1.1.10xece8Standard query (0)api.douwan.videoA (IP address)IN (0x0001)false
                                                                    Jul 3, 2024 18:01:17.365981102 CEST192.168.2.41.1.1.10x6291Standard query (0)usbserver.douwan.videoA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Jul 3, 2024 18:01:13.961229086 CEST1.1.1.1192.168.2.40xece8No error (0)api.douwan.video101.200.59.29A (IP address)IN (0x0001)false
                                                                    Jul 3, 2024 18:01:17.535590887 CEST1.1.1.1192.168.2.40x6291No error (0)usbserver.douwan.video47.104.158.224A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • slscr.update.microsoft.com
                                                                    • api.douwan.video
                                                                    • login.live.com
                                                                    • fs.microsoft.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.44974047.104.158.224806016C:\Program Files\douwan\DouWan.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jul 3, 2024 18:01:17.544353008 CEST648OUTPOST /app/api/validActiveCode HTTP/1.0
                                                                    Content-Type: application/custom
                                                                    Content-Length: 512
                                                                    User-Agent: stlAirPlayer
                                                                    Accept: */*
                                                                    Data Raw: 67 6a 31 44 61 4c 4f 6d 71 49 37 5a 48 6e 79 46 35 33 55 61 59 2f 53 63 70 48 77 79 46 74 56 73 43 6d 36 72 6d 55 78 6c 51 74 48 45 69 31 30 6d 67 4d 73 57 68 58 2b 61 45 33 45 4f 50 30 6d 57 50 30 70 37 44 45 70 67 73 53 30 34 2f 77 54 75 34 67 4c 79 79 70 31 67 34 41 45 70 57 57 6a 77 64 31 61 34 70 68 75 50 65 41 52 6e 67 71 78 58 39 7a 59 37 67 6a 49 75 64 41 59 52 77 57 37 2f 70 37 71 70 62 45 56 77 2f 4b 61 49 55 34 78 6b 2f 41 62 75 51 6d 54 2f 33 72 50 38 76 34 49 69 4a 42 58 46 6b 45 5a 33 54 54 73 31 73 6e 75 72 58 75 42 6f 57 4f 42 7a 43 74 49 51 35 4c 59 30 58 4e 4c 78 32 38 78 32 31 59 49 75 48 30 57 4c 44 59 33 64 63 2b 6b 48 49 5a 4c 75 34 56 5a 4b 33 55 36 77 61 37 39 71 52 37 63 2f 32 48 72 57 65 37 68 44 64 68 62 46 57 36 49 4e 66 31 6f 33 78 54 66 54 49 47 6f 59 79 6e 73 56 56 50 2b 2f 49 42 6c 4a 62 30 63 70 7a 51 6b 39 64 70 73 6b 79 39 69 49 39 36 69 38 4f 56 53 69 2f 31 72 68 5a 44 4a 51 33 59 65 70 6b 72 45 61 63 70 35 6c 57 48 78 70 48 75 69 7a 33 38 4f 47 65 6c 64 41 6e 42 [TRUNCATED]
                                                                    Data Ascii: gj1DaLOmqI7ZHnyF53UaY/ScpHwyFtVsCm6rmUxlQtHEi10mgMsWhX+aE3EOP0mWP0p7DEpgsS04/wTu4gLyyp1g4AEpWWjwd1a4phuPeARngqxX9zY7gjIudAYRwW7/p7qpbEVw/KaIU4xk/AbuQmT/3rP8v4IiJBXFkEZ3TTs1snurXuBoWOBzCtIQ5LY0XNLx28x21YIuH0WLDY3dc+kHIZLu4VZK3U6wa79qR7c/2HrWe7hDdhbFW6INf1o3xTfTIGoYynsVVP+/IBlJb0cpzQk9dpsky9iI96i8OVSi/1rhZDJQ3YepkrEacp5lWHxpHuiz38OGeldAnB/oirO6mxC0u9mc9w1X4utAKispb0FWlMjiYJPEbsp48iBGvQAh7T+9kBUROsZDh2drzoL3uL89wqlCQeo3+wDc2ZIYfn/edOjQzNK7wvAMAybd4OMeS3igykCs/O2z737rxrJrplFdSD4YK3VfErF655j9QiVl/dcJKR3xMdxkmw0T
                                                                    Jul 3, 2024 18:01:18.682147980 CEST604INHTTP/1.1 200 OK
                                                                    X-Powered-By: Express
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 232
                                                                    ETag: W/"e8-U1WyFKr6Ccs5eutgov/qWQ"
                                                                    set-cookie: connect.sid=s%3ATNKJZp8MkCYC4zdP6DYNUdSuC2_7z9aM.CPgrtj4pTXYaE3YYlyALsKiC%2Be%2FR1zOaAnmo2%2BnGkq8; Path=/; Expires=Wed, 03 Jul 2024 16:11:18 GMT; HttpOnly
                                                                    Date: Wed, 03 Jul 2024 16:01:18 GMT
                                                                    Connection: close
                                                                    Data Raw: 7b 22 65 72 72 22 3a 6e 75 6c 6c 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 64 61 74 61 22 3a 7b 22 68 61 73 68 22 3a 22 46 2b 6a 7a 76 47 30 45 50 73 69 79 76 6d 71 71 32 42 4c 31 55 31 4a 6d 51 78 54 48 78 50 7a 42 33 30 32 64 39 68 56 2b 49 30 4a 38 4c 4a 74 55 79 30 78 57 31 73 64 5a 46 71 7a 43 32 65 56 32 77 30 41 41 51 5a 66 6e 66 53 35 64 68 4d 4a 66 2b 6a 54 46 64 2b 64 58 54 71 68 52 48 6b 7a 53 64 45 4e 2b 72 6d 7a 78 6b 4d 45 66 4e 77 2b 56 32 59 48 6c 4a 44 4e 45 53 36 59 53 66 59 4b 71 69 4a 58 70 6e 43 5a 45 6d 46 54 44 68 38 4d 37 50 75 6a 44 32 55 2b 6a 32 41 4c 69 5a 4a 2f 63 49 79 72 32 32 4f 33 78 44 51 34 3d 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 30 22 7d 7d
                                                                    Data Ascii: {"err":null,"success":true,"data":{"hash":"F+jzvG0EPsiyvmqq2BL1U1JmQxTHxPzB302d9hV+I0J8LJtUy0xW1sdZFqzC2eV2w0AAQZfnfS5dhMJf+jTFd+dXTqhRHkzSdEN+rmzxkMEfNw+V2YHlJDNES6YSfYKqiJXpnCZEmFTDh8M7PujD2U+j2ALiZJ/cIyr22O3xDQ4=","version":"0"}}


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.44974147.104.158.224806016C:\Program Files\douwan\DouWan.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jul 3, 2024 18:01:18.688290119 CEST652OUTPOST /app/api/validActiveCodeFree HTTP/1.0
                                                                    Content-Type: application/custom
                                                                    Content-Length: 512
                                                                    User-Agent: stlAirPlayer
                                                                    Accept: */*
                                                                    Data Raw: 63 58 51 58 45 41 34 71 49 53 64 4a 37 67 71 57 6e 78 41 70 68 57 6f 2f 39 36 54 72 32 39 4f 32 6e 4e 70 6d 36 6d 30 4f 64 66 79 71 32 79 61 7a 76 37 59 76 49 79 72 70 56 6d 71 2b 30 62 38 79 57 58 39 44 76 52 74 38 68 4a 72 78 7a 71 57 42 49 42 42 65 76 54 57 70 70 64 30 33 67 31 6a 45 39 4e 2f 43 48 36 30 59 4d 35 38 7a 68 58 69 45 48 57 64 68 65 33 5a 6c 72 56 52 47 75 43 6d 79 6a 38 70 44 45 75 4f 34 4a 64 42 2f 37 72 71 48 2b 79 4e 78 66 4c 45 67 31 62 6b 64 44 54 64 47 41 46 53 71 6b 44 56 75 50 67 78 45 4a 67 79 31 50 45 61 69 4c 58 6e 38 4d 6f 70 73 51 6f 76 33 6c 35 62 52 43 73 79 79 4c 63 6a 2f 63 62 67 67 56 48 2b 4d 2b 64 69 63 33 35 49 49 55 65 32 76 67 59 4e 4d 41 44 6e 4d 68 62 4c 63 63 4e 6d 44 4c 30 59 31 38 42 4d 64 53 78 2b 62 44 70 2b 37 79 71 47 47 34 68 46 75 75 69 58 66 79 76 37 51 75 46 78 63 5a 67 45 76 58 51 67 33 4e 35 62 64 2f 50 7a 46 44 61 61 52 6c 37 6c 39 56 31 36 77 44 34 30 73 50 5a 6a 6b 78 52 76 31 2b 4a 6d 32 79 66 58 38 59 4f 70 59 6f 79 47 71 4b 4a 47 75 49 78 [TRUNCATED]
                                                                    Data Ascii: cXQXEA4qISdJ7gqWnxAphWo/96Tr29O2nNpm6m0Odfyq2yazv7YvIyrpVmq+0b8yWX9DvRt8hJrxzqWBIBBevTWppd03g1jE9N/CH60YM58zhXiEHWdhe3ZlrVRGuCmyj8pDEuO4JdB/7rqH+yNxfLEg1bkdDTdGAFSqkDVuPgxEJgy1PEaiLXn8MopsQov3l5bRCsyyLcj/cbggVH+M+dic35IIUe2vgYNMADnMhbLccNmDL0Y18BMdSx+bDp+7yqGG4hFuuiXfyv7QuFxcZgEvXQg3N5bd/PzFDaaRl7l9V16wD40sPZjkxRv1+Jm2yfX8YOpYoyGqKJGuIxetAzOwAcCMJ6/Gj2uEyWsH0J3W+HTqjGfVggiNbvoMu0LcAJgfPMXZxwQbSHasSrO6KQu2mFdX1G26MXrAaHWG2ZurDgZJsgMUC47m1NWNoI8ANMKoHyvoHfga+hoDDZ/h0SD1cQp2WtxY/lIaZaxwqBVADTXzvKATO0qylFj3LrGp
                                                                    Jul 3, 2024 18:01:19.711366892 CEST368INHTTP/1.1 200 OK
                                                                    X-Powered-By: Express
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 218
                                                                    ETag: W/"da-wQ5pLk8Xs21cQTIAUlMfmQ"
                                                                    set-cookie: connect.sid=s%3AZASlzcGTRV9P9K_rYEJYvjtPZhfR6cPe.qy2JZ42HHoWU4xhHfYXwBtpIRsbtDnW2%2B2dC9SGNKc4; Path=/; Expires=Wed, 03 Jul 2024 16:11:19 GMT; HttpOnly
                                                                    Date: Wed, 03 Jul 2024 16:01:19 GMT
                                                                    Connection: close
                                                                    Jul 3, 2024 18:01:19.711822033 CEST218INData Raw: 7b 22 65 72 72 22 3a 6e 75 6c 6c 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 64 61 74 61 22 3a 7b 22 68 61 73 68 22 3a 22 6b 47 78 2f 4d 6d 2b 5a 74 32 61 58 72 50 50 37 35 50 76 41 34 4d 37 33 65 59 34 73 43 65 4d 46 56 31 31 6b 33 6b 49
                                                                    Data Ascii: {"err":null,"success":true,"data":{"hash":"kGx/Mm+Zt2aXrPP75PvA4M73eY4sCeMFV11k3kIQ2sz+D/JWM2xjKO0rJqdDkCxGdDjJUF+sQLm3pyhIVcU9RjsjtzwtiwOc9Gv9vCdjv9cqIdAksmYOcbOz5nepdafFsd2t4BqKya2dWMACgv8iUR0sktHx27IMQLmuQRuX8TU="}}


                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.44973220.114.59.183443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:00:49 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2PgZmmtPrgnHHEs&MD=vwNG4BCV HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Accept: */*
                                                                    User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                    Host: slscr.update.microsoft.com
                                                                    2024-07-03 16:00:49 UTC560INHTTP/1.1 200 OK
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    Content-Type: application/octet-stream
                                                                    Expires: -1
                                                                    Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                    ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                                    MS-CorrelationId: 02362141-a06c-44e7-bff3-27f6929df204
                                                                    MS-RequestId: f86c388b-462f-4616-bf97-f205043c841f
                                                                    MS-CV: RsDJQhb8I0e7xqze.0
                                                                    X-Microsoft-SLSClientCache: 2880
                                                                    Content-Disposition: attachment; filename=environment.cab
                                                                    X-Content-Type-Options: nosniff
                                                                    Date: Wed, 03 Jul 2024 16:00:48 GMT
                                                                    Connection: close
                                                                    Content-Length: 24490
                                                                    2024-07-03 16:00:49 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                                    Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                                    2024-07-03 16:00:49 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                                    Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.449738101.200.59.294436016C:\Program Files\douwan\DouWan.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:01:16 UTC331OUTPOST /v1/app/checkVersion?uuid=w61f0b7401cce31b61af8ef16887023fb&softversion=4.3.0.3&limituse=1&language=en-us&lang=en HTTP/1.1
                                                                    Host: api.douwan.video
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Content-Length: 92
                                                                    Connection: Keep-Alive
                                                                    Accept-Encoding: gzip, deflate
                                                                    Accept-Language: en-CH,*
                                                                    User-Agent: Mozilla/5.0
                                                                    2024-07-03 16:01:16 UTC92OUTData Raw: 75 75 69 64 3d 77 36 31 66 30 62 37 34 30 31 63 63 65 33 31 62 36 31 61 66 38 65 66 31 36 38 38 37 30 32 33 66 62 26 73 6f 66 74 76 65 72 73 69 6f 6e 3d 34 2e 33 2e 30 2e 33 26 6c 69 6d 69 74 75 73 65 3d 31 26 6c 61 6e 67 75 61 67 65 3d 65 6e 2d 75 73 26 6c 61 6e 67 3d 65 6e
                                                                    Data Ascii: uuid=w61f0b7401cce31b61af8ef16887023fb&softversion=4.3.0.3&limituse=1&language=en-us&lang=en
                                                                    2024-07-03 16:01:17 UTC295INHTTP/1.1 200 OK
                                                                    Server: nginx/1.12.2
                                                                    Date: Wed, 03 Jul 2024 16:01:16 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 383
                                                                    Connection: close
                                                                    Set-Cookie: airServer=995da025b8a84f29c1aa3ab92d8dcd3f; Path=/; Expires=Thu, 01 Aug 2024 00:01:16 GMT; Max-Age=2448000; HttpOnly
                                                                    2024-07-03 16:01:17 UTC383INData Raw: 7b 22 63 6f 64 65 22 3a 31 30 30 30 30 2c 22 6d 65 73 73 61 67 65 22 3a 22 22 2c 22 64 61 74 61 22 3a 7b 22 76 65 72 73 69 6f 6e 22 3a 22 34 2e 33 2e 30 2e 30 22 2c 22 66 6f 72 63 65 5f 75 70 67 72 61 64 65 22 3a 31 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 65 6e 64 6f 77 6e 6c 6f 61 64 2e 64 6f 75 77 61 6e 2e 76 69 64 65 6f 2f 75 70 64 61 74 65 2f 44 6f 75 57 61 6e 2d 56 69 64 65 6f 2d 53 65 74 75 70 2d 45 6e 2d 34 2e 33 2e 30 2e 33 2e 65 78 65 22 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 31 2e 20 4f 70 74 69 6d 69 7a 65 20 6f 70 65 72 61 74 69 6f 6e 20 65 78 70 65 72 69 65 6e 63 65 20 62 79 20 61 64 64 69 6e 67 20 73 6f 6d 65 20 67 75 69 64 65 73 2e 20 20 20 20 32 2e 20 73 75 70 70 6f 72 74 20 47 6f 6f 67 6c 65 20 43 61 73 74 20 63 6f 6d 70
                                                                    Data Ascii: {"code":10000,"message":"","data":{"version":"4.3.0.0","force_upgrade":1,"url":"https://endownload.douwan.video/update/DouWan-Video-Setup-En-4.3.0.3.exe","description":"1. Optimize operation experience by adding some guides. 2. support Google Cast comp


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.449747101.200.59.294436016C:\Program Files\douwan\DouWan.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:01:23 UTC381OUTPOST /v1/app/getMessage?uuid=w61f0b7401cce31b61af8ef16887023fb&softversion=4.3.0.3&limituse=1&language=en-us&lang=en HTTP/1.1
                                                                    Host: api.douwan.video
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Cookie: airServer=995da025b8a84f29c1aa3ab92d8dcd3f
                                                                    Content-Length: 92
                                                                    Connection: Keep-Alive
                                                                    Accept-Encoding: gzip, deflate
                                                                    Accept-Language: en-CH,*
                                                                    User-Agent: Mozilla/5.0
                                                                    2024-07-03 16:01:23 UTC92OUTData Raw: 75 75 69 64 3d 77 36 31 66 30 62 37 34 30 31 63 63 65 33 31 62 36 31 61 66 38 65 66 31 36 38 38 37 30 32 33 66 62 26 73 6f 66 74 76 65 72 73 69 6f 6e 3d 34 2e 33 2e 30 2e 33 26 6c 69 6d 69 74 75 73 65 3d 31 26 6c 61 6e 67 75 61 67 65 3d 65 6e 2d 75 73 26 6c 61 6e 67 3d 65 6e
                                                                    Data Ascii: uuid=w61f0b7401cce31b61af8ef16887023fb&softversion=4.3.0.3&limituse=1&language=en-us&lang=en
                                                                    2024-07-03 16:01:24 UTC164INHTTP/1.1 200 OK
                                                                    Server: nginx/1.12.2
                                                                    Date: Wed, 03 Jul 2024 16:01:24 GMT
                                                                    Content-Type: application/json; charset=utf-8
                                                                    Content-Length: 94
                                                                    Connection: close
                                                                    2024-07-03 16:01:24 UTC94INData Raw: 7b 22 63 6f 64 65 22 3a 31 30 30 30 30 2c 22 6d 73 67 22 3a 22 53 75 63 63 65 73 73 22 2c 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 64 61 74 61 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 22 2c 22 75 72 6c 22 3a 22 22 2c 22 62 65 67 69 6e 22 3a 30 2c 22 65 6e 64 22 3a 30 7d 7d
                                                                    Data Ascii: {"code":10000,"msg":"Success","success":true,"data":{"message":"","url":"","begin":0,"end":0}}


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.449755184.28.90.27443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:01:26 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Accept: */*
                                                                    Accept-Encoding: identity
                                                                    User-Agent: Microsoft BITS/7.8
                                                                    Host: fs.microsoft.com
                                                                    2024-07-03 16:01:26 UTC466INHTTP/1.1 200 OK
                                                                    Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                    Content-Type: application/octet-stream
                                                                    ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                    Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                    Server: ECAcc (lpl/EF06)
                                                                    X-CID: 11
                                                                    X-Ms-ApiVersion: Distribute 1.2
                                                                    X-Ms-Region: prod-neu-z1
                                                                    Cache-Control: public, max-age=86858
                                                                    Date: Wed, 03 Jul 2024 16:01:26 GMT
                                                                    Connection: close
                                                                    X-CID: 2


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    4192.168.2.44975640.126.31.73443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:01:27 UTC422OUTPOST /RST2.srf HTTP/1.0
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/soap+xml
                                                                    Accept: */*
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                                                                    Content-Length: 3592
                                                                    Host: login.live.com
                                                                    2024-07-03 16:01:27 UTC3592OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                                                                    Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                                                                    2024-07-03 16:01:27 UTC568INHTTP/1.1 200 OK
                                                                    Cache-Control: no-store, no-cache
                                                                    Pragma: no-cache
                                                                    Content-Type: application/soap+xml; charset=utf-8
                                                                    Expires: Wed, 03 Jul 2024 16:00:27 GMT
                                                                    P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                                                                    Referrer-Policy: strict-origin-when-cross-origin
                                                                    x-ms-route-info: C533_BL2
                                                                    x-ms-request-id: 611aa424-7b51-43df-88fc-fcfdacfeb28e
                                                                    PPServer: PPV: 30 H: BL02EPF0001D7B4 V: 0
                                                                    X-Content-Type-Options: nosniff
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    X-XSS-Protection: 1; mode=block
                                                                    Date: Wed, 03 Jul 2024 16:01:27 GMT
                                                                    Connection: close
                                                                    Content-Length: 1277
                                                                    2024-07-03 16:01:27 UTC1277INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                                                                    Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.449757184.28.90.27443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:01:27 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Accept: */*
                                                                    Accept-Encoding: identity
                                                                    If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                                                                    Range: bytes=0-2147483646
                                                                    User-Agent: Microsoft BITS/7.8
                                                                    Host: fs.microsoft.com
                                                                    2024-07-03 16:01:27 UTC514INHTTP/1.1 200 OK
                                                                    ApiVersion: Distribute 1.1
                                                                    Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                                    Content-Type: application/octet-stream
                                                                    ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                                    Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                                    Server: ECAcc (lpl/EF06)
                                                                    X-CID: 11
                                                                    X-Ms-ApiVersion: Distribute 1.2
                                                                    X-Ms-Region: prod-weu-z1
                                                                    Cache-Control: public, max-age=86867
                                                                    Date: Wed, 03 Jul 2024 16:01:27 GMT
                                                                    Content-Length: 55
                                                                    Connection: close
                                                                    X-CID: 2
                                                                    2024-07-03 16:01:27 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                                                                    Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.44975820.114.59.183443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:01:27 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=2PgZmmtPrgnHHEs&MD=vwNG4BCV HTTP/1.1
                                                                    Connection: Keep-Alive
                                                                    Accept: */*
                                                                    User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                                    Host: slscr.update.microsoft.com
                                                                    2024-07-03 16:01:27 UTC560INHTTP/1.1 200 OK
                                                                    Cache-Control: no-cache
                                                                    Pragma: no-cache
                                                                    Content-Type: application/octet-stream
                                                                    Expires: -1
                                                                    Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                                    ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
                                                                    MS-CorrelationId: d3de6716-d782-487d-a44c-980c1f33d83e
                                                                    MS-RequestId: 2ab5d45d-a341-4334-9232-9802979f4b4d
                                                                    MS-CV: 7fhPMx7Y9Uu8LNgk.0
                                                                    X-Microsoft-SLSClientCache: 1440
                                                                    Content-Disposition: attachment; filename=environment.cab
                                                                    X-Content-Type-Options: nosniff
                                                                    Date: Wed, 03 Jul 2024 16:01:26 GMT
                                                                    Connection: close
                                                                    Content-Length: 30005
                                                                    2024-07-03 16:01:27 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
                                                                    Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
                                                                    2024-07-03 16:01:27 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
                                                                    Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    7192.168.2.44975940.126.31.73443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:01:28 UTC446OUTPOST /ppsecure/deviceaddcredential.srf HTTP/1.0
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/soap+xml
                                                                    Accept: */*
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                                                                    Content-Length: 7642
                                                                    Host: login.live.com
                                                                    2024-07-03 16:01:28 UTC7642OUTData Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 71 75 65 73 74 3e 3c 43 6c 69 65 6e 74 49 6e 66 6f 20 6e 61 6d 65 3d 22 49 44 43 52 4c 22 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 3c 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 32 34 3c 2f 42 69 6e 61 72 79 56 65 72 73 69 6f 6e 3e 3c 2f 43 6c 69 65 6e 74 49 6e 66 6f 3e 3c 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 6d 6a 6b 70 73 79 6e 68 62 69 62 64 63 68 3c 2f 4d 65 6d 62 65 72 6e 61 6d 65 3e 3c 50 61 73 73 77 6f 72 64 3e 4d 50 52 69 52 76 41 3b 32 69 2b 4b 40 72 74 2b 57 3f 50 48 3c 2f 50 61 73 73 77 6f 72 64 3e 3c 2f 41 75 74 68 65 6e 74 69 63 61 74 69 6f 6e 3e 3c 4f 6c 64 4d 65 6d 62 65 72 6e 61 6d 65 3e 30 32 61 6b 71 72 6c 66 67 75 6b 69 6a 65 76 6c 3c 2f 4f 6c 64 4d
                                                                    Data Ascii: <DeviceAddRequest><ClientInfo name="IDCRL" version="1.0"><BinaryVersion>24</BinaryVersion></ClientInfo><Authentication><Membername>02mjkpsynhbibdch</Membername><Password>MPRiRvA;2i+K@rt+W?PH</Password></Authentication><OldMembername>02akqrlfgukijevl</OldM
                                                                    2024-07-03 16:01:31 UTC542INHTTP/1.1 200 OK
                                                                    Cache-Control: no-store, no-cache
                                                                    Pragma: no-cache
                                                                    Content-Type: text/xml
                                                                    Expires: Wed, 03 Jul 2024 16:00:28 GMT
                                                                    P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                                                                    Referrer-Policy: strict-origin-when-cross-origin
                                                                    x-ms-route-info: C528_SN1
                                                                    x-ms-request-id: 494ac571-4dea-4c00-9a1f-85c447cc88bc
                                                                    PPServer: PPV: 30 H: SN1PEPF0002F036 V: 0
                                                                    X-Content-Type-Options: nosniff
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    X-XSS-Protection: 1; mode=block
                                                                    Date: Wed, 03 Jul 2024 16:01:31 GMT
                                                                    Connection: close
                                                                    Content-Length: 17166
                                                                    2024-07-03 16:01:31 UTC15842INData Raw: 3c 44 65 76 69 63 65 41 64 64 52 65 73 70 6f 6e 73 65 20 53 75 63 63 65 73 73 3d 22 74 72 75 65 22 3e 3c 73 75 63 63 65 73 73 3e 74 72 75 65 3c 2f 73 75 63 63 65 73 73 3e 3c 70 75 69 64 3e 30 30 31 38 30 30 31 30 43 41 46 31 39 37 38 43 3c 2f 70 75 69 64 3e 3c 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 33 3c 2f 44 65 76 69 63 65 54 70 6d 4b 65 79 53 74 61 74 65 3e 3c 4c 69 63 65 6e 73 65 20 43 6f 6e 74 65 6e 74 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31 2d 38 63 63 35 2d 62 32 66 35 33 63 38 33 30 62 37 36 22 20 49 44 3d 22 32 65 39 31 31 36 61 63 2d 62 62 30 37 2d 34 33 32 61 2d 61 35 35 62 2d 64 36 63 62 33 36 61 35 63 62 38 62 22 20 4c 69 63 65 6e 73 65 49 44 3d 22 33 32 35 32 62 32 30 63 2d 64 34 32 35 2d 34 37 31 31
                                                                    Data Ascii: <DeviceAddResponse Success="true"><success>true</success><puid>00180010CAF1978C</puid><DeviceTpmKeyState>3</DeviceTpmKeyState><License ContentID="3252b20c-d425-4711-8cc5-b2f53c830b76" ID="2e9116ac-bb07-432a-a55b-d6cb36a5cb8b" LicenseID="3252b20c-d425-4711
                                                                    2024-07-03 16:01:31 UTC1324INData Raw: 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 39 2f 78 6d 6c 64 73 69 67 23 65 6e 76 65 6c 6f 70 65 64 2d 73 69 67 6e 61 74 75 72 65 22 2f 3e 3c 2f 54 72 61 6e 73 66 6f 72 6d 73 3e 3c 44 69 67 65 73 74 4d 65 74 68 6f 64 20 41 6c 67 6f 72 69 74 68 6d 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 30 34 2f 78 6d 6c 65 6e 63 23 73 68 61 32 35 36 22 2f 3e 3c 44 69 67 65 73 74 56 61 6c 75 65 3e 67 74 71 77 70 52 35 66 47 44 61 6f 48 73 4d 37 49 57 47 4b 5a 67 61 77 58 61 30 42 50 69 47 61 65 35 62 49 75 6e 2f 52 51 4a 41 3d 3c 2f 44 69 67 65 73 74 56 61 6c 75 65 3e 3c 2f 52 65 66 65 72 65 6e 63 65 3e 3c 2f 53 69 67 6e 65 64 49 6e 66 6f 3e 3c 53 69 67 6e 61 74 75 72 65 56 61 6c 75 65 3e 41 46 38 6f 46 52 2b 47 66
                                                                    Data Ascii: tp://www.w3.org/2000/09/xmldsig#enveloped-signature"/></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><DigestValue>gtqwpR5fGDaoHsM7IWGKZgawXa0BPiGae5bIun/RQJA=</DigestValue></Reference></SignedInfo><SignatureValue>AF8oFR+Gf


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    8192.168.2.44976040.126.31.73443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:01:32 UTC422OUTPOST /RST2.srf HTTP/1.0
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/soap+xml
                                                                    Accept: */*
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                                                                    Content-Length: 3592
                                                                    Host: login.live.com
                                                                    2024-07-03 16:01:32 UTC3592OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                                                                    Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                                                                    2024-07-03 16:01:33 UTC654INHTTP/1.1 200 OK
                                                                    Cache-Control: no-store, no-cache
                                                                    Pragma: no-cache
                                                                    Content-Type: application/soap+xml; charset=utf-8
                                                                    Expires: Wed, 03 Jul 2024 16:00:32 GMT
                                                                    P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                                                                    FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30275.14
                                                                    Referrer-Policy: strict-origin-when-cross-origin
                                                                    x-ms-route-info: C504_SN1
                                                                    x-ms-request-id: 95b8883c-b2ef-4c49-a22d-ca5801a52ec9
                                                                    PPServer: PPV: 30 H: SN1PEPF0002F031 V: 0
                                                                    X-Content-Type-Options: nosniff
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    X-XSS-Protection: 1; mode=block
                                                                    Date: Wed, 03 Jul 2024 16:01:32 GMT
                                                                    Connection: close
                                                                    Content-Length: 11390
                                                                    2024-07-03 16:01:33 UTC11390INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                                                                    Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    9192.168.2.44976140.126.31.73443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:01:33 UTC422OUTPOST /RST2.srf HTTP/1.0
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/soap+xml
                                                                    Accept: */*
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                                                                    Content-Length: 4775
                                                                    Host: login.live.com
                                                                    2024-07-03 16:01:33 UTC4775OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                                                                    Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                                                                    2024-07-03 16:01:34 UTC568INHTTP/1.1 200 OK
                                                                    Cache-Control: no-store, no-cache
                                                                    Pragma: no-cache
                                                                    Content-Type: application/soap+xml; charset=utf-8
                                                                    Expires: Wed, 03 Jul 2024 16:00:34 GMT
                                                                    P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                                                                    Referrer-Policy: strict-origin-when-cross-origin
                                                                    x-ms-route-info: C533_SN1
                                                                    x-ms-request-id: a5475692-6c59-42b8-91e4-0b2f775bc569
                                                                    PPServer: PPV: 30 H: SN1PEPF0002FAA8 V: 0
                                                                    X-Content-Type-Options: nosniff
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    X-XSS-Protection: 1; mode=block
                                                                    Date: Wed, 03 Jul 2024 16:01:33 GMT
                                                                    Connection: close
                                                                    Content-Length: 1919
                                                                    2024-07-03 16:01:34 UTC1919INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                                                                    Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    10192.168.2.44976240.126.31.73443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:01:35 UTC422OUTPOST /RST2.srf HTTP/1.0
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/soap+xml
                                                                    Accept: */*
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                                                                    Content-Length: 4775
                                                                    Host: login.live.com
                                                                    2024-07-03 16:01:35 UTC4775OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                                                                    Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                                                                    2024-07-03 16:01:35 UTC654INHTTP/1.1 200 OK
                                                                    Cache-Control: no-store, no-cache
                                                                    Pragma: no-cache
                                                                    Content-Type: application/soap+xml; charset=utf-8
                                                                    Expires: Wed, 03 Jul 2024 16:00:35 GMT
                                                                    P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                                                                    FdrTelemetry: &481=21&59=33&213=10&215=0&315=1&215=0&315=1&214=56&288=16.0.30275.14
                                                                    Referrer-Policy: strict-origin-when-cross-origin
                                                                    x-ms-route-info: C504_SN1
                                                                    x-ms-request-id: 7a75ce94-efbe-4992-b1c3-5a666dfcb4d8
                                                                    PPServer: PPV: 30 H: SN1PEPF0002F035 V: 0
                                                                    X-Content-Type-Options: nosniff
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    X-XSS-Protection: 1; mode=block
                                                                    Date: Wed, 03 Jul 2024 16:01:35 GMT
                                                                    Connection: close
                                                                    Content-Length: 11370
                                                                    2024-07-03 16:01:35 UTC11370INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                                                                    Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    11192.168.2.44976340.126.31.73443
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-07-03 16:01:36 UTC422OUTPOST /RST2.srf HTTP/1.0
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/soap+xml
                                                                    Accept: */*
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})
                                                                    Content-Length: 4775
                                                                    Host: login.live.com
                                                                    2024-07-03 16:01:36 UTC4775OUTData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 70 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 50 61 73 73 70 6f 72 74 2f 53 6f 61 70 53 65 72 76 69 63 65 73 2f 50 50 43 52 4c 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31
                                                                    Data Ascii: <?xml version="1.0" encoding="UTF-8"?><s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1
                                                                    2024-07-03 16:01:36 UTC569INHTTP/1.1 200 OK
                                                                    Cache-Control: no-store, no-cache
                                                                    Pragma: no-cache
                                                                    Content-Type: application/soap+xml; charset=utf-8
                                                                    Expires: Wed, 03 Jul 2024 16:00:36 GMT
                                                                    P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
                                                                    Referrer-Policy: strict-origin-when-cross-origin
                                                                    x-ms-route-info: C504_SN1
                                                                    x-ms-request-id: f4599091-e915-415f-9574-77633da7458b
                                                                    PPServer: PPV: 30 H: SN1PEPF0002FA50 V: 0
                                                                    X-Content-Type-Options: nosniff
                                                                    Strict-Transport-Security: max-age=31536000
                                                                    X-XSS-Protection: 1; mode=block
                                                                    Date: Wed, 03 Jul 2024 16:01:36 GMT
                                                                    Connection: close
                                                                    Content-Length: 11370
                                                                    2024-07-03 16:01:36 UTC11370INData Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 20 3f 3e 3c 53 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 53 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 33 2f 30 35 2f 73 6f 61 70 2d 65 6e 76 65 6c 6f 70 65 22 20 78 6d 6c 6e 73 3a 77 73 73 65 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30 34 30 31 2d 77 73 73 2d 77 73 73 65 63 75 72 69 74 79 2d 73 65 63 65 78 74 2d 31 2e 30 2e 78 73 64 22 20 78 6d 6c 6e 73 3a 77 73 75 3d 22 68 74 74 70 3a 2f 2f 64 6f 63 73 2e 6f 61 73 69 73 2d 6f 70 65 6e 2e 6f 72 67 2f 77 73 73 2f 32 30 30 34 2f 30 31 2f 6f 61 73 69 73 2d 32 30 30
                                                                    Data Ascii: <?xml version="1.0" encoding="utf-8" ?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:12:00:31
                                                                    Start date:03/07/2024
                                                                    Path:C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe"
                                                                    Imagebase:0x400000
                                                                    File size:46'547'184 bytes
                                                                    MD5 hash:54F1DFBDA1D18A3CDB6055546D45DC84
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:1
                                                                    Start time:12:00:45
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:netsh advfirewall firewall add rule name="DouWan" dir=in action=allow program="C:\Program Files\douwan\DouWan.exe"
                                                                    Imagebase:0x1560000
                                                                    File size:82'432 bytes
                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:12:00:45
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:12:01:05
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam32.dll"
                                                                    Imagebase:0x5f0000
                                                                    File size:20'992 bytes
                                                                    MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:7
                                                                    Start time:12:01:06
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud32.dll"
                                                                    Imagebase:0x5f0000
                                                                    File size:20'992 bytes
                                                                    MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:12:01:06
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam64.dll"
                                                                    Imagebase:0x5f0000
                                                                    File size:20'992 bytes
                                                                    MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:12:01:06
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\System32\regsvr32.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline: /i /s "C:\Program Files\douwan\VCam\douwan-virtualcam64.dll"
                                                                    Imagebase:0x7ff6fe3b0000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:12:01:06
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\system32\regsvr32.exe" /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud64.dll"
                                                                    Imagebase:0x5f0000
                                                                    File size:20'992 bytes
                                                                    MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:12:01:06
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\System32\regsvr32.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline: /i /s "C:\Program Files\douwan\VCam\douwan-virtualaud64.dll"
                                                                    Imagebase:0x7ff6fe3b0000
                                                                    File size:25'088 bytes
                                                                    MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:13
                                                                    Start time:12:01:11
                                                                    Start date:03/07/2024
                                                                    Path:C:\Program Files\douwan\DouWan.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\douwan\DouWan.exe"
                                                                    Imagebase:0x7ff625410000
                                                                    File size:19'631'720 bytes
                                                                    MD5 hash:E9A3B9746938F5A64159092AB84A9A9E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 0%, ReversingLabs
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:14
                                                                    Start time:12:01:12
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:wmic csproduct get uuid
                                                                    Imagebase:0x7ff695250000
                                                                    File size:576'000 bytes
                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:15
                                                                    Start time:12:01:12
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff7699e0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:19
                                                                    Start time:12:01:24
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\WerFault.exe -pss -s 488 -p 6016 -ip 6016
                                                                    Imagebase:0x7ff6a3350000
                                                                    File size:570'736 bytes
                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:20
                                                                    Start time:12:01:24
                                                                    Start date:03/07/2024
                                                                    Path:C:\Windows\System32\WerFault.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\WerFault.exe -u -p 6016 -s 3156
                                                                    Imagebase:0x7ff6a3350000
                                                                    File size:570'736 bytes
                                                                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:29.7%
                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                      Signature Coverage:16.8%
                                                                      Total number of Nodes:1383
                                                                      Total number of Limit Nodes:39
                                                                      execution_graph 3199 4015c1 3218 402d3e 3199->3218 3203 401631 3205 401663 3203->3205 3206 401636 3203->3206 3209 401423 24 API calls 3205->3209 3242 401423 3206->3242 3215 40165b 3209->3215 3213 40164a SetCurrentDirectoryW 3213->3215 3214 4015d1 3214->3203 3216 401617 GetFileAttributesW 3214->3216 3230 405cdd 3214->3230 3234 4059ac 3214->3234 3237 405912 CreateDirectoryW 3214->3237 3246 40598f CreateDirectoryW 3214->3246 3216->3214 3219 402d4a 3218->3219 3249 406418 3219->3249 3222 4015c8 3224 405d5b CharNextW CharNextW 3222->3224 3225 405d78 3224->3225 3227 405d8a 3224->3227 3226 405d85 CharNextW 3225->3226 3225->3227 3229 405dae 3226->3229 3228 405cdd CharNextW 3227->3228 3227->3229 3228->3227 3229->3214 3231 405ce3 3230->3231 3232 405cf9 3231->3232 3233 405cea CharNextW 3231->3233 3232->3214 3233->3231 3287 4067d0 GetModuleHandleA 3234->3287 3238 405963 GetLastError 3237->3238 3239 40595f 3237->3239 3238->3239 3240 405972 SetFileSecurityW 3238->3240 3239->3214 3240->3239 3241 405988 GetLastError 3240->3241 3241->3239 3296 405443 3242->3296 3245 4063db lstrcpynW 3245->3213 3247 4059a3 GetLastError 3246->3247 3248 40599f 3246->3248 3247->3248 3248->3214 3261 406425 3249->3261 3250 406670 3251 402d6b 3250->3251 3282 4063db lstrcpynW 3250->3282 3251->3222 3266 40668a 3251->3266 3253 40663e lstrlenW 3253->3261 3256 406418 10 API calls 3256->3253 3257 406553 GetSystemDirectoryW 3257->3261 3259 406566 GetWindowsDirectoryW 3259->3261 3260 40668a 5 API calls 3260->3261 3261->3250 3261->3253 3261->3256 3261->3257 3261->3259 3261->3260 3262 40659a SHGetSpecialFolderLocation 3261->3262 3263 406418 10 API calls 3261->3263 3264 4065e1 lstrcatW 3261->3264 3275 4062a9 3261->3275 3280 406322 wsprintfW 3261->3280 3281 4063db lstrcpynW 3261->3281 3262->3261 3265 4065b2 SHGetPathFromIDListW CoTaskMemFree 3262->3265 3263->3261 3264->3261 3265->3261 3267 406697 3266->3267 3269 40670d 3267->3269 3270 406700 CharNextW 3267->3270 3272 405cdd CharNextW 3267->3272 3273 4066ec CharNextW 3267->3273 3274 4066fb CharNextW 3267->3274 3268 406712 CharPrevW 3268->3269 3269->3268 3271 406733 3269->3271 3270->3267 3270->3269 3271->3222 3272->3267 3273->3267 3274->3270 3283 406248 3275->3283 3278 40630d 3278->3261 3279 4062dd RegQueryValueExW RegCloseKey 3279->3278 3280->3261 3281->3261 3282->3251 3284 406257 3283->3284 3285 406260 RegOpenKeyExW 3284->3285 3286 40625b 3284->3286 3285->3286 3286->3278 3286->3279 3288 4067f6 GetProcAddress 3287->3288 3289 4067ec 3287->3289 3290 4059b3 3288->3290 3293 406760 GetSystemDirectoryW 3289->3293 3290->3214 3292 4067f2 3292->3288 3292->3290 3294 406782 wsprintfW LoadLibraryExW 3293->3294 3294->3292 3297 40545e 3296->3297 3298 401431 3296->3298 3299 40547a lstrlenW 3297->3299 3302 406418 17 API calls 3297->3302 3298->3245 3300 4054a3 3299->3300 3301 405488 lstrlenW 3299->3301 3304 4054b6 3300->3304 3305 4054a9 SetWindowTextW 3300->3305 3301->3298 3303 40549a lstrcatW 3301->3303 3302->3299 3303->3300 3304->3298 3306 4054bc SendMessageW SendMessageW SendMessageW 3304->3306 3305->3304 3306->3298 3307 401941 3308 401943 3307->3308 3309 402d3e 17 API calls 3308->3309 3310 401948 3309->3310 3313 405aed 3310->3313 3349 405db8 3313->3349 3316 405b15 DeleteFileW 3345 401951 3316->3345 3317 405b2c 3322 405c4c 3317->3322 3363 4063db lstrcpynW 3317->3363 3319 405b52 3320 405b65 3319->3320 3321 405b58 lstrcatW 3319->3321 3364 405cfc lstrlenW 3320->3364 3323 405b6b 3321->3323 3322->3345 3381 406739 FindFirstFileW 3322->3381 3326 405b7b lstrcatW 3323->3326 3328 405b86 lstrlenW FindFirstFileW 3323->3328 3326->3328 3328->3322 3347 405ba8 3328->3347 3331 405c2f FindNextFileW 3334 405c45 FindClose 3331->3334 3331->3347 3332 405aa5 5 API calls 3335 405c87 3332->3335 3334->3322 3336 405ca1 3335->3336 3337 405c8b 3335->3337 3339 405443 24 API calls 3336->3339 3340 405443 24 API calls 3337->3340 3337->3345 3339->3345 3342 405c98 3340->3342 3341 405aed 60 API calls 3341->3347 3344 4061a1 36 API calls 3342->3344 3343 405443 24 API calls 3343->3331 3344->3345 3346 405443 24 API calls 3346->3347 3347->3331 3347->3341 3347->3343 3347->3346 3368 4063db lstrcpynW 3347->3368 3369 405aa5 3347->3369 3377 4061a1 MoveFileExW 3347->3377 3387 4063db lstrcpynW 3349->3387 3351 405dc9 3352 405d5b 4 API calls 3351->3352 3353 405dcf 3352->3353 3354 405b0d 3353->3354 3355 40668a 5 API calls 3353->3355 3354->3316 3354->3317 3361 405ddf 3355->3361 3356 405e10 lstrlenW 3357 405e1b 3356->3357 3356->3361 3359 405cb0 3 API calls 3357->3359 3358 406739 2 API calls 3358->3361 3360 405e20 GetFileAttributesW 3359->3360 3360->3354 3361->3354 3361->3356 3361->3358 3362 405cfc 2 API calls 3361->3362 3362->3356 3363->3319 3365 405d0a 3364->3365 3366 405d10 CharPrevW 3365->3366 3367 405d1c 3365->3367 3366->3365 3366->3367 3367->3323 3368->3347 3388 405eac GetFileAttributesW 3369->3388 3372 405ad2 3372->3347 3373 405ac0 RemoveDirectoryW 3375 405ace 3373->3375 3374 405ac8 DeleteFileW 3374->3375 3375->3372 3376 405ade SetFileAttributesW 3375->3376 3376->3372 3378 4061c2 3377->3378 3379 4061b5 3377->3379 3378->3347 3391 406027 3379->3391 3382 405c71 3381->3382 3383 40674f FindClose 3381->3383 3382->3345 3384 405cb0 lstrlenW CharPrevW 3382->3384 3383->3382 3385 405c7b 3384->3385 3386 405ccc lstrcatW 3384->3386 3385->3332 3386->3385 3387->3351 3389 405ab1 3388->3389 3390 405ebe SetFileAttributesW 3388->3390 3389->3372 3389->3373 3389->3374 3390->3389 3392 406057 3391->3392 3393 40607d GetShortPathNameW 3391->3393 3418 405ed1 GetFileAttributesW CreateFileW 3392->3418 3395 406092 3393->3395 3396 40619c 3393->3396 3395->3396 3398 40609a wsprintfA 3395->3398 3396->3378 3397 406061 CloseHandle GetShortPathNameW 3397->3396 3399 406075 3397->3399 3400 406418 17 API calls 3398->3400 3399->3393 3399->3396 3401 4060c2 3400->3401 3419 405ed1 GetFileAttributesW CreateFileW 3401->3419 3403 4060cf 3403->3396 3404 4060de GetFileSize GlobalAlloc 3403->3404 3405 406100 3404->3405 3406 406195 CloseHandle 3404->3406 3420 405f54 ReadFile 3405->3420 3406->3396 3411 406133 3414 405e36 4 API calls 3411->3414 3412 40611f lstrcpyA 3413 406141 3412->3413 3415 406178 SetFilePointer 3413->3415 3414->3413 3427 405f83 WriteFile 3415->3427 3418->3397 3419->3403 3421 405f72 3420->3421 3421->3406 3422 405e36 lstrlenA 3421->3422 3423 405e77 lstrlenA 3422->3423 3424 405e50 lstrcmpiA 3423->3424 3426 405e7f 3423->3426 3425 405e6e CharNextA 3424->3425 3424->3426 3425->3423 3426->3411 3426->3412 3428 405fa1 GlobalFree 3427->3428 3428->3406 4247 402a42 4248 402d1c 17 API calls 4247->4248 4249 402a48 4248->4249 4250 402a88 4249->4250 4251 402a6f 4249->4251 4256 402925 4249->4256 4252 402aa2 4250->4252 4253 402a92 4250->4253 4254 402a74 4251->4254 4255 402a85 4251->4255 4258 406418 17 API calls 4252->4258 4257 402d1c 17 API calls 4253->4257 4261 4063db lstrcpynW 4254->4261 4262 406322 wsprintfW 4255->4262 4257->4256 4258->4256 4261->4256 4262->4256 3693 401c43 3694 402d1c 17 API calls 3693->3694 3695 401c4a 3694->3695 3696 402d1c 17 API calls 3695->3696 3697 401c57 3696->3697 3698 401c6c 3697->3698 3699 402d3e 17 API calls 3697->3699 3700 401c7c 3698->3700 3701 402d3e 17 API calls 3698->3701 3699->3698 3702 401cd3 3700->3702 3703 401c87 3700->3703 3701->3700 3704 402d3e 17 API calls 3702->3704 3705 402d1c 17 API calls 3703->3705 3706 401cd8 3704->3706 3707 401c8c 3705->3707 3708 402d3e 17 API calls 3706->3708 3709 402d1c 17 API calls 3707->3709 3711 401ce1 FindWindowExW 3708->3711 3710 401c98 3709->3710 3712 401cc3 SendMessageW 3710->3712 3713 401ca5 SendMessageTimeoutW 3710->3713 3714 401d03 3711->3714 3712->3714 3713->3714 4263 402b43 4264 4067d0 5 API calls 4263->4264 4265 402b4a 4264->4265 4266 402d3e 17 API calls 4265->4266 4267 402b53 4266->4267 4268 402b57 IIDFromString 4267->4268 4270 402b8e 4267->4270 4269 402b66 4268->4269 4268->4270 4269->4270 4273 4063db lstrcpynW 4269->4273 4272 402b83 CoTaskMemFree 4272->4270 4273->4272 3743 402947 3744 402d3e 17 API calls 3743->3744 3745 402955 3744->3745 3746 40296b 3745->3746 3747 402d3e 17 API calls 3745->3747 3748 405eac 2 API calls 3746->3748 3747->3746 3749 402971 3748->3749 3771 405ed1 GetFileAttributesW CreateFileW 3749->3771 3751 40297e 3752 402a21 3751->3752 3753 40298a GlobalAlloc 3751->3753 3756 402a29 DeleteFileW 3752->3756 3757 402a3c 3752->3757 3754 4029a3 3753->3754 3755 402a18 CloseHandle 3753->3755 3772 403447 SetFilePointer 3754->3772 3755->3752 3756->3757 3759 4029a9 3760 403431 ReadFile 3759->3760 3761 4029b2 GlobalAlloc 3760->3761 3762 4029c2 3761->3762 3763 4029f6 3761->3763 3764 40324c 35 API calls 3762->3764 3765 405f83 WriteFile 3763->3765 3770 4029cf 3764->3770 3766 402a02 GlobalFree 3765->3766 3767 40324c 35 API calls 3766->3767 3768 402a15 3767->3768 3768->3755 3769 4029ed GlobalFree 3769->3763 3770->3769 3771->3751 3772->3759 4284 4016cc 4285 402d3e 17 API calls 4284->4285 4286 4016d2 GetFullPathNameW 4285->4286 4287 4016ec 4286->4287 4293 40170e 4286->4293 4290 406739 2 API calls 4287->4290 4287->4293 4288 402bc2 4289 401723 GetShortPathNameW 4289->4288 4291 4016fe 4290->4291 4291->4293 4294 4063db lstrcpynW 4291->4294 4293->4288 4293->4289 4294->4293 4295 401e4e GetDC 4296 402d1c 17 API calls 4295->4296 4297 401e60 GetDeviceCaps MulDiv ReleaseDC 4296->4297 4298 402d1c 17 API calls 4297->4298 4299 401e91 4298->4299 4300 406418 17 API calls 4299->4300 4301 401ece CreateFontIndirectW 4300->4301 4302 402630 4301->4302 4303 402acf 4304 402d1c 17 API calls 4303->4304 4305 402ad5 4304->4305 4306 402b12 4305->4306 4307 402925 4305->4307 4309 402ae7 4305->4309 4306->4307 4308 406418 17 API calls 4306->4308 4308->4307 4309->4307 4311 406322 wsprintfW 4309->4311 4311->4307 4060 4020d0 4061 4020e2 4060->4061 4062 402194 4060->4062 4063 402d3e 17 API calls 4061->4063 4065 401423 24 API calls 4062->4065 4064 4020e9 4063->4064 4066 402d3e 17 API calls 4064->4066 4070 4022ee 4065->4070 4067 4020f2 4066->4067 4068 402108 LoadLibraryExW 4067->4068 4069 4020fa GetModuleHandleW 4067->4069 4068->4062 4071 402119 4068->4071 4069->4068 4069->4071 4080 40683f 4071->4080 4074 402163 4076 405443 24 API calls 4074->4076 4075 40212a 4077 401423 24 API calls 4075->4077 4078 40213a 4075->4078 4076->4078 4077->4078 4078->4070 4079 402186 FreeLibrary 4078->4079 4079->4070 4085 4063fd WideCharToMultiByte 4080->4085 4082 40685c 4083 406863 GetProcAddress 4082->4083 4084 402124 4082->4084 4083->4084 4084->4074 4084->4075 4085->4082 4086 4039d0 4087 4039e8 4086->4087 4088 4039da CloseHandle 4086->4088 4093 403a15 4087->4093 4088->4087 4091 405aed 67 API calls 4092 4039f9 4091->4092 4094 403a23 4093->4094 4095 4039ed 4094->4095 4096 403a28 FreeLibrary GlobalFree 4094->4096 4095->4091 4096->4095 4096->4096 4312 4028d5 4313 4028dd 4312->4313 4314 4028e1 FindNextFileW 4313->4314 4316 4028f3 4313->4316 4315 40293a 4314->4315 4314->4316 4318 4063db lstrcpynW 4315->4318 4318->4316 4319 401956 4320 402d3e 17 API calls 4319->4320 4321 40195d lstrlenW 4320->4321 4322 402630 4321->4322 4323 4014d7 4324 402d1c 17 API calls 4323->4324 4325 4014dd Sleep 4324->4325 4327 402bc2 4325->4327 4135 403e58 4136 403e70 4135->4136 4137 403fab 4135->4137 4136->4137 4138 403e7c 4136->4138 4139 403ffc 4137->4139 4140 403fbc GetDlgItem GetDlgItem 4137->4140 4141 403e87 SetWindowPos 4138->4141 4142 403e9a 4138->4142 4144 404056 4139->4144 4152 401389 2 API calls 4139->4152 4143 404331 18 API calls 4140->4143 4141->4142 4145 403eb7 4142->4145 4146 403e9f ShowWindow 4142->4146 4147 403fe6 SetClassLongW 4143->4147 4148 40437d SendMessageW 4144->4148 4195 403fa6 4144->4195 4149 403ed9 4145->4149 4150 403ebf DestroyWindow 4145->4150 4146->4145 4151 40140b 2 API calls 4147->4151 4193 404068 4148->4193 4153 403ede SetWindowLongW 4149->4153 4154 403eef 4149->4154 4203 4042ba 4150->4203 4151->4139 4155 40402e 4152->4155 4153->4195 4158 403efb GetDlgItem 4154->4158 4172 403f66 4154->4172 4155->4144 4159 404032 SendMessageW 4155->4159 4156 40140b 2 API calls 4156->4193 4157 4042bc DestroyWindow KiUserCallbackDispatcher 4157->4203 4161 403f2b 4158->4161 4162 403f0e SendMessageW IsWindowEnabled 4158->4162 4159->4195 4160 4042eb ShowWindow 4160->4195 4165 403f38 4161->4165 4166 403f4b 4161->4166 4167 403f7f SendMessageW 4161->4167 4175 403f30 4161->4175 4162->4161 4162->4195 4163 404398 8 API calls 4163->4195 4164 406418 17 API calls 4164->4193 4165->4167 4165->4175 4170 403f53 4166->4170 4171 403f68 4166->4171 4167->4172 4168 40430a SendMessageW 4168->4172 4169 404331 18 API calls 4169->4193 4173 40140b 2 API calls 4170->4173 4174 40140b 2 API calls 4171->4174 4172->4163 4173->4175 4174->4175 4175->4168 4175->4172 4176 404331 18 API calls 4177 4040e3 GetDlgItem 4176->4177 4178 404100 ShowWindow KiUserCallbackDispatcher 4177->4178 4179 4040f8 4177->4179 4204 404353 KiUserCallbackDispatcher 4178->4204 4179->4178 4181 40412a KiUserCallbackDispatcher 4186 40413e 4181->4186 4182 404143 GetSystemMenu EnableMenuItem SendMessageW 4183 404173 SendMessageW 4182->4183 4182->4186 4183->4186 4185 403e39 18 API calls 4185->4186 4186->4182 4186->4185 4205 404366 SendMessageW 4186->4205 4206 4063db lstrcpynW 4186->4206 4188 4041a2 lstrlenW 4189 406418 17 API calls 4188->4189 4190 4041b8 SetWindowTextW 4189->4190 4191 401389 2 API calls 4190->4191 4191->4193 4192 4041fc DestroyWindow 4194 404216 CreateDialogParamW 4192->4194 4192->4203 4193->4156 4193->4157 4193->4164 4193->4169 4193->4176 4193->4192 4193->4195 4196 404249 4194->4196 4194->4203 4197 404331 18 API calls 4196->4197 4198 404254 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4197->4198 4199 401389 2 API calls 4198->4199 4200 40429a 4199->4200 4200->4195 4201 4042a2 ShowWindow 4200->4201 4202 40437d SendMessageW 4201->4202 4202->4203 4203->4160 4203->4195 4204->4181 4205->4186 4206->4188 4328 4047db 4329 404811 4328->4329 4330 4047eb 4328->4330 4332 404398 8 API calls 4329->4332 4331 404331 18 API calls 4330->4331 4333 4047f8 SetDlgItemTextW 4331->4333 4334 40481d 4332->4334 4333->4329 4230 40175c 4231 402d3e 17 API calls 4230->4231 4232 401763 4231->4232 4233 405f00 2 API calls 4232->4233 4234 40176a 4233->4234 4235 405f00 2 API calls 4234->4235 4235->4234 4335 401d5d 4336 402d1c 17 API calls 4335->4336 4337 401d6e SetWindowLongW 4336->4337 4338 402bc2 4337->4338 4239 401ede 4240 402d1c 17 API calls 4239->4240 4241 401ee4 4240->4241 4242 402d1c 17 API calls 4241->4242 4243 401ef0 4242->4243 4244 401f07 EnableWindow 4243->4244 4245 401efc ShowWindow 4243->4245 4246 402bc2 4244->4246 4245->4246 4346 401563 4347 402b08 4346->4347 4350 406322 wsprintfW 4347->4350 4349 402b0d 4350->4349 4351 4026e4 4352 402d1c 17 API calls 4351->4352 4353 4026f3 4352->4353 4354 40273d ReadFile 4353->4354 4355 405f54 ReadFile 4353->4355 4357 402832 4353->4357 4358 40277d MultiByteToWideChar 4353->4358 4360 4027a3 SetFilePointer MultiByteToWideChar 4353->4360 4361 402843 4353->4361 4363 402830 4353->4363 4364 405fb2 SetFilePointer 4353->4364 4354->4353 4354->4363 4355->4353 4373 406322 wsprintfW 4357->4373 4358->4353 4360->4353 4362 402864 SetFilePointer 4361->4362 4361->4363 4362->4363 4365 405fce 4364->4365 4370 405fe6 4364->4370 4366 405f54 ReadFile 4365->4366 4367 405fda 4366->4367 4368 406017 SetFilePointer 4367->4368 4369 405fef SetFilePointer 4367->4369 4367->4370 4368->4370 4369->4368 4371 405ffa 4369->4371 4370->4353 4372 405f83 WriteFile 4371->4372 4372->4370 4373->4363 4374 404467 lstrcpynW lstrlenW 4375 401968 4376 402d1c 17 API calls 4375->4376 4377 40196f 4376->4377 4378 402d1c 17 API calls 4377->4378 4379 40197c 4378->4379 4380 402d3e 17 API calls 4379->4380 4381 401993 lstrlenW 4380->4381 4383 4019a4 4381->4383 4382 4019e5 4383->4382 4387 4063db lstrcpynW 4383->4387 4385 4019d5 4385->4382 4386 4019da lstrlenW 4385->4386 4386->4382 4387->4385 4388 403a68 4389 403a73 4388->4389 4390 403a7a GlobalAlloc 4389->4390 4391 403a77 4389->4391 4390->4391 4392 40166a 4393 402d3e 17 API calls 4392->4393 4394 401670 4393->4394 4395 406739 2 API calls 4394->4395 4396 401676 4395->4396 3783 4023ec 3784 402d3e 17 API calls 3783->3784 3785 4023fb 3784->3785 3786 402d3e 17 API calls 3785->3786 3787 402404 3786->3787 3788 402d3e 17 API calls 3787->3788 3789 40240e GetPrivateProfileStringW 3788->3789 3790 40176f 3791 402d3e 17 API calls 3790->3791 3792 401776 3791->3792 3793 401796 3792->3793 3794 40179e 3792->3794 3829 4063db lstrcpynW 3793->3829 3830 4063db lstrcpynW 3794->3830 3797 40179c 3801 40668a 5 API calls 3797->3801 3798 4017a9 3799 405cb0 3 API calls 3798->3799 3800 4017af lstrcatW 3799->3800 3800->3797 3805 4017bb 3801->3805 3802 406739 2 API calls 3802->3805 3803 405eac 2 API calls 3803->3805 3805->3802 3805->3803 3806 4017cd CompareFileTime 3805->3806 3807 40188d 3805->3807 3810 4063db lstrcpynW 3805->3810 3816 406418 17 API calls 3805->3816 3825 401864 3805->3825 3828 405ed1 GetFileAttributesW CreateFileW 3805->3828 3831 405a41 3805->3831 3806->3805 3808 405443 24 API calls 3807->3808 3811 401897 3808->3811 3809 405443 24 API calls 3827 401879 3809->3827 3810->3805 3812 40324c 35 API calls 3811->3812 3813 4018aa 3812->3813 3814 4018be SetFileTime 3813->3814 3815 4018d0 FindCloseChangeNotification 3813->3815 3814->3815 3817 4018e1 3815->3817 3815->3827 3816->3805 3818 4018e6 3817->3818 3819 4018f9 3817->3819 3820 406418 17 API calls 3818->3820 3821 406418 17 API calls 3819->3821 3823 4018ee lstrcatW 3820->3823 3824 401901 3821->3824 3823->3824 3826 405a41 MessageBoxIndirectW 3824->3826 3825->3809 3825->3827 3826->3827 3828->3805 3829->3797 3830->3798 3832 405a56 3831->3832 3833 405aa2 3832->3833 3834 405a6a MessageBoxIndirectW 3832->3834 3833->3805 3834->3833 4097 4044f0 4098 404508 4097->4098 4101 404622 4097->4101 4102 404331 18 API calls 4098->4102 4099 40468c 4100 404696 GetDlgItem 4099->4100 4103 404756 4099->4103 4104 4046b0 4100->4104 4105 404717 4100->4105 4101->4099 4101->4103 4106 40465d GetDlgItem SendMessageW 4101->4106 4107 40456f 4102->4107 4108 404398 8 API calls 4103->4108 4104->4105 4113 4046d6 SendMessageW LoadCursorW SetCursor 4104->4113 4105->4103 4109 404729 4105->4109 4130 404353 KiUserCallbackDispatcher 4106->4130 4111 404331 18 API calls 4107->4111 4112 404751 4108->4112 4114 40473f 4109->4114 4115 40472f SendMessageW 4109->4115 4117 40457c CheckDlgButton 4111->4117 4131 40479f 4113->4131 4114->4112 4120 404745 SendMessageW 4114->4120 4115->4114 4116 404687 4121 40477b SendMessageW 4116->4121 4128 404353 KiUserCallbackDispatcher 4117->4128 4120->4112 4121->4099 4123 40459a GetDlgItem 4129 404366 SendMessageW 4123->4129 4125 4045b0 SendMessageW 4126 4045d6 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4125->4126 4127 4045cd GetSysColor 4125->4127 4126->4112 4127->4126 4128->4123 4129->4125 4130->4116 4134 405a07 ShellExecuteExW 4131->4134 4133 404705 LoadCursorW SetCursor 4133->4105 4134->4133 4404 401a72 4405 402d1c 17 API calls 4404->4405 4406 401a7b 4405->4406 4407 402d1c 17 API calls 4406->4407 4408 401a20 4407->4408 4409 401573 4410 401583 ShowWindow 4409->4410 4411 40158c 4409->4411 4410->4411 4412 402bc2 4411->4412 4413 40159a ShowWindow 4411->4413 4413->4412 4414 4014f5 SetForegroundWindow 4415 402bc2 4414->4415 4416 401ff6 4417 402d3e 17 API calls 4416->4417 4418 401ffd 4417->4418 4419 406739 2 API calls 4418->4419 4420 402003 4419->4420 4422 402014 4420->4422 4423 406322 wsprintfW 4420->4423 4423->4422 4424 401b77 4425 402d3e 17 API calls 4424->4425 4426 401b7e 4425->4426 4427 402d1c 17 API calls 4426->4427 4428 401b87 wsprintfW 4427->4428 4429 402bc2 4428->4429 4430 4022f7 4431 402d3e 17 API calls 4430->4431 4432 4022fd 4431->4432 4433 402d3e 17 API calls 4432->4433 4434 402306 4433->4434 4435 402d3e 17 API calls 4434->4435 4436 40230f 4435->4436 4437 406739 2 API calls 4436->4437 4438 402318 4437->4438 4439 402329 lstrlenW lstrlenW 4438->4439 4440 40231c 4438->4440 4442 405443 24 API calls 4439->4442 4441 405443 24 API calls 4440->4441 4443 402324 4440->4443 4441->4443 4444 402367 SHFileOperationW 4442->4444 4444->4440 4444->4443 4445 404b78 4446 404ba4 4445->4446 4447 404b88 4445->4447 4449 404bd7 4446->4449 4450 404baa SHGetPathFromIDListW 4446->4450 4456 405a25 GetDlgItemTextW 4447->4456 4452 404bc1 SendMessageW 4450->4452 4453 404bba 4450->4453 4451 404b95 SendMessageW 4451->4446 4452->4449 4455 40140b 2 API calls 4453->4455 4455->4452 4456->4451 4457 406afa 4458 40697e 4457->4458 4459 4072e9 4458->4459 4460 406a08 GlobalAlloc 4458->4460 4461 4069ff GlobalFree 4458->4461 4462 406a76 GlobalFree 4458->4462 4463 406a7f GlobalAlloc 4458->4463 4460->4458 4460->4459 4461->4460 4462->4463 4463->4458 4463->4459 4464 40167b 4465 402d3e 17 API calls 4464->4465 4466 401682 4465->4466 4467 402d3e 17 API calls 4466->4467 4468 40168b 4467->4468 4469 402d3e 17 API calls 4468->4469 4470 401694 MoveFileW 4469->4470 4471 4016a7 4470->4471 4477 4016a0 4470->4477 4472 406739 2 API calls 4471->4472 4474 4022ee 4471->4474 4475 4016b6 4472->4475 4473 401423 24 API calls 4473->4474 4475->4474 4476 4061a1 36 API calls 4475->4476 4476->4477 4477->4473 4478 40237b 4479 402382 4478->4479 4480 402395 4478->4480 4481 406418 17 API calls 4479->4481 4482 40238f 4481->4482 4483 405a41 MessageBoxIndirectW 4482->4483 4483->4480 4484 4019ff 4485 402d3e 17 API calls 4484->4485 4486 401a06 4485->4486 4487 402d3e 17 API calls 4486->4487 4488 401a0f 4487->4488 4489 401a16 lstrcmpiW 4488->4489 4490 401a28 lstrcmpW 4488->4490 4491 401a1c 4489->4491 4490->4491 4492 401000 4493 401037 BeginPaint GetClientRect 4492->4493 4494 40100c DefWindowProcW 4492->4494 4496 4010f3 4493->4496 4497 401179 4494->4497 4498 401073 CreateBrushIndirect FillRect DeleteObject 4496->4498 4499 4010fc 4496->4499 4498->4496 4500 401102 CreateFontIndirectW 4499->4500 4501 401167 EndPaint 4499->4501 4500->4501 4502 401112 6 API calls 4500->4502 4501->4497 4502->4501 4503 401d81 4504 401d94 GetDlgItem 4503->4504 4505 401d87 4503->4505 4508 401d8e 4504->4508 4506 402d1c 17 API calls 4505->4506 4506->4508 4507 401dd5 GetClientRect LoadImageW SendMessageW 4511 401e33 4507->4511 4513 401e3f 4507->4513 4508->4507 4509 402d3e 17 API calls 4508->4509 4509->4507 4512 401e38 DeleteObject 4511->4512 4511->4513 4512->4513 3429 405582 3430 4055a3 GetDlgItem GetDlgItem GetDlgItem 3429->3430 3431 40572c 3429->3431 3474 404366 SendMessageW 3430->3474 3433 405735 GetDlgItem CreateThread CloseHandle 3431->3433 3434 40575d 3431->3434 3433->3434 3497 405516 OleInitialize 3433->3497 3436 405774 ShowWindow ShowWindow 3434->3436 3437 4057ad 3434->3437 3438 405788 3434->3438 3435 405613 3440 40561a GetClientRect GetSystemMetrics SendMessageW SendMessageW 3435->3440 3479 404366 SendMessageW 3436->3479 3483 404398 3437->3483 3439 4057e8 3438->3439 3442 4057c2 ShowWindow 3438->3442 3443 40579c 3438->3443 3439->3437 3450 4057f6 SendMessageW 3439->3450 3448 405688 3440->3448 3449 40566c SendMessageW SendMessageW 3440->3449 3446 4057e2 3442->3446 3447 4057d4 3442->3447 3480 40430a 3443->3480 3445 4057bb 3453 40430a SendMessageW 3446->3453 3452 405443 24 API calls 3447->3452 3454 40569b 3448->3454 3455 40568d SendMessageW 3448->3455 3449->3448 3450->3445 3456 40580f CreatePopupMenu 3450->3456 3452->3446 3453->3439 3475 404331 3454->3475 3455->3454 3457 406418 17 API calls 3456->3457 3459 40581f AppendMenuW 3457->3459 3461 40583c GetWindowRect 3459->3461 3462 40584f TrackPopupMenu 3459->3462 3460 4056ab 3463 4056b4 ShowWindow 3460->3463 3464 4056e8 GetDlgItem SendMessageW 3460->3464 3461->3462 3462->3445 3466 40586a 3462->3466 3467 4056d7 3463->3467 3468 4056ca ShowWindow 3463->3468 3464->3445 3465 40570f SendMessageW SendMessageW 3464->3465 3465->3445 3469 405886 SendMessageW 3466->3469 3478 404366 SendMessageW 3467->3478 3468->3467 3469->3469 3470 4058a3 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3469->3470 3472 4058c8 SendMessageW 3470->3472 3472->3472 3473 4058f1 GlobalUnlock SetClipboardData CloseClipboard 3472->3473 3473->3445 3474->3435 3476 406418 17 API calls 3475->3476 3477 40433c SetDlgItemTextW 3476->3477 3477->3460 3478->3464 3479->3438 3481 404311 3480->3481 3482 404317 SendMessageW 3480->3482 3481->3482 3482->3437 3484 40445b 3483->3484 3485 4043b0 GetWindowLongW 3483->3485 3484->3445 3485->3484 3486 4043c5 3485->3486 3486->3484 3487 4043f2 GetSysColor 3486->3487 3488 4043f5 3486->3488 3487->3488 3489 404405 SetBkMode 3488->3489 3490 4043fb SetTextColor 3488->3490 3491 404423 3489->3491 3492 40441d GetSysColor 3489->3492 3490->3489 3493 40442a SetBkColor 3491->3493 3494 404434 3491->3494 3492->3491 3493->3494 3494->3484 3495 404447 DeleteObject 3494->3495 3496 40444e CreateBrushIndirect 3494->3496 3495->3496 3496->3484 3504 40437d 3497->3504 3499 405539 3503 405560 3499->3503 3507 401389 3499->3507 3500 40437d SendMessageW 3501 405572 OleUninitialize 3500->3501 3503->3500 3505 404395 3504->3505 3506 404386 SendMessageW 3504->3506 3505->3499 3506->3505 3509 401390 3507->3509 3508 4013fe 3508->3499 3509->3508 3510 4013cb MulDiv SendMessageW 3509->3510 3510->3509 3511 402482 3512 402d3e 17 API calls 3511->3512 3513 402494 3512->3513 3514 402d3e 17 API calls 3513->3514 3515 40249e 3514->3515 3528 402dce 3515->3528 3518 402925 3519 4024d6 3521 4024e2 3519->3521 3532 402d1c 3519->3532 3520 402d3e 17 API calls 3522 4024cc lstrlenW 3520->3522 3524 402501 RegSetValueExW 3521->3524 3535 40324c 3521->3535 3522->3519 3526 402517 RegCloseKey 3524->3526 3526->3518 3529 402de9 3528->3529 3556 406276 3529->3556 3533 406418 17 API calls 3532->3533 3534 402d31 3533->3534 3534->3521 3537 403265 3535->3537 3536 403290 3560 403431 3536->3560 3537->3536 3570 403447 SetFilePointer 3537->3570 3541 4033d1 3543 4033d5 3541->3543 3547 4033ed 3541->3547 3542 4032ad GetTickCount 3554 4032c0 3542->3554 3545 403431 ReadFile 3543->3545 3544 4033bb 3544->3524 3545->3544 3546 403431 ReadFile 3546->3547 3547->3544 3547->3546 3549 405f83 WriteFile 3547->3549 3548 403431 ReadFile 3548->3554 3549->3547 3551 403326 GetTickCount 3551->3554 3552 40334f MulDiv wsprintfW 3553 405443 24 API calls 3552->3553 3553->3554 3554->3544 3554->3548 3554->3551 3554->3552 3555 405f83 WriteFile 3554->3555 3563 40694b 3554->3563 3555->3554 3557 406285 3556->3557 3558 406290 RegCreateKeyExW 3557->3558 3559 4024ae 3557->3559 3558->3559 3559->3518 3559->3519 3559->3520 3561 405f54 ReadFile 3560->3561 3562 40329b 3561->3562 3562->3541 3562->3542 3562->3544 3564 406970 3563->3564 3565 406978 3563->3565 3564->3554 3565->3564 3566 406a08 GlobalAlloc 3565->3566 3567 4069ff GlobalFree 3565->3567 3568 406a76 GlobalFree 3565->3568 3569 406a7f GlobalAlloc 3565->3569 3566->3564 3566->3565 3567->3566 3568->3569 3569->3564 3569->3565 3570->3536 4514 402902 4515 402d3e 17 API calls 4514->4515 4516 402909 FindFirstFileW 4515->4516 4517 402931 4516->4517 4518 40291c 4516->4518 4522 406322 wsprintfW 4517->4522 4520 40293a 4523 4063db lstrcpynW 4520->4523 4522->4520 4523->4518 4524 401503 4525 40150b 4524->4525 4527 40151e 4524->4527 4526 402d1c 17 API calls 4525->4526 4526->4527 4535 402889 4536 402890 4535->4536 4537 402b0d 4535->4537 4538 402d1c 17 API calls 4536->4538 4539 402897 4538->4539 4540 4028a6 SetFilePointer 4539->4540 4540->4537 4541 4028b6 4540->4541 4543 406322 wsprintfW 4541->4543 4543->4537 4544 40190c 4545 401943 4544->4545 4546 402d3e 17 API calls 4545->4546 4547 401948 4546->4547 4548 405aed 67 API calls 4547->4548 4549 401951 4548->4549 3835 40348f SetErrorMode GetVersion 3836 4034ce 3835->3836 3837 4034d4 3835->3837 3838 4067d0 5 API calls 3836->3838 3839 406760 3 API calls 3837->3839 3838->3837 3840 4034ea lstrlenA 3839->3840 3840->3837 3841 4034fa 3840->3841 3842 4067d0 5 API calls 3841->3842 3843 403501 3842->3843 3844 4067d0 5 API calls 3843->3844 3845 403508 3844->3845 3846 4067d0 5 API calls 3845->3846 3850 403514 #17 OleInitialize SHGetFileInfoW 3846->3850 3849 403560 GetCommandLineW 3926 4063db lstrcpynW 3849->3926 3925 4063db lstrcpynW 3850->3925 3852 403572 3853 405cdd CharNextW 3852->3853 3854 403597 CharNextW 3853->3854 3855 4036c1 GetTempPathW 3854->3855 3866 4035b0 3854->3866 3927 40345e 3855->3927 3857 4036d9 3858 403733 DeleteFileW 3857->3858 3859 4036dd GetWindowsDirectoryW lstrcatW 3857->3859 3937 403015 GetTickCount GetModuleFileNameW 3858->3937 3860 40345e 12 API calls 3859->3860 3864 4036f9 3860->3864 3861 405cdd CharNextW 3861->3866 3863 403747 3865 4037fe ExitProcess OleUninitialize 3863->3865 3869 4037ea 3863->3869 3874 405cdd CharNextW 3863->3874 3864->3858 3867 4036fd GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3864->3867 3870 403934 3865->3870 3871 403814 3865->3871 3866->3861 3868 4036aa 3866->3868 3872 4036ac 3866->3872 3873 40345e 12 API calls 3867->3873 3868->3855 3965 403aaa 3869->3965 3878 4039b8 ExitProcess 3870->3878 3879 40393c GetCurrentProcess OpenProcessToken 3870->3879 3877 405a41 MessageBoxIndirectW 3871->3877 4021 4063db lstrcpynW 3872->4021 3880 40372b 3873->3880 3891 403766 3874->3891 3883 403822 ExitProcess 3877->3883 3884 403954 LookupPrivilegeValueW AdjustTokenPrivileges 3879->3884 3885 403988 3879->3885 3880->3858 3880->3865 3881 4037fa 3881->3865 3884->3885 3886 4067d0 5 API calls 3885->3886 3887 40398f 3886->3887 3890 4039a4 ExitWindowsEx 3887->3890 3894 4039b1 3887->3894 3888 4037c4 3893 405db8 18 API calls 3888->3893 3889 40382a 3892 4059ac 5 API calls 3889->3892 3890->3878 3890->3894 3891->3888 3891->3889 3895 40382f lstrcatW 3892->3895 3896 4037d0 3893->3896 3897 40140b 2 API calls 3894->3897 3898 403840 lstrcatW 3895->3898 3899 40384b lstrcatW lstrcmpiW 3895->3899 3896->3865 4022 4063db lstrcpynW 3896->4022 3897->3878 3898->3899 3899->3865 3900 403867 3899->3900 3902 403873 3900->3902 3903 40386c 3900->3903 3907 40598f 2 API calls 3902->3907 3905 405912 4 API calls 3903->3905 3904 4037df 4023 4063db lstrcpynW 3904->4023 3908 403871 3905->3908 3909 403878 SetCurrentDirectoryW 3907->3909 3908->3909 3910 403893 3909->3910 3911 403888 3909->3911 4025 4063db lstrcpynW 3910->4025 4024 4063db lstrcpynW 3911->4024 3914 406418 17 API calls 3915 4038d2 DeleteFileW 3914->3915 3916 4038df CopyFileW 3915->3916 3922 4038a1 3915->3922 3916->3922 3917 403928 3919 4061a1 36 API calls 3917->3919 3918 4061a1 36 API calls 3918->3922 3920 40392f 3919->3920 3920->3865 3921 406418 17 API calls 3921->3922 3922->3914 3922->3917 3922->3918 3922->3921 3923 4059c4 2 API calls 3922->3923 3924 403913 CloseHandle 3922->3924 3923->3922 3924->3922 3925->3849 3926->3852 3928 40668a 5 API calls 3927->3928 3930 40346a 3928->3930 3929 403474 3929->3857 3930->3929 3931 405cb0 3 API calls 3930->3931 3932 40347c 3931->3932 3933 40598f 2 API calls 3932->3933 3934 403482 3933->3934 4026 405f00 3934->4026 4030 405ed1 GetFileAttributesW CreateFileW 3937->4030 3939 403055 3958 403065 3939->3958 4031 4063db lstrcpynW 3939->4031 3941 40307b 3942 405cfc 2 API calls 3941->3942 3943 403081 3942->3943 4032 4063db lstrcpynW 3943->4032 3945 40308c GetFileSize 3946 403186 3945->3946 3960 4030a3 3945->3960 4033 402fb1 3946->4033 3948 40318f 3950 4031bf GlobalAlloc 3948->3950 3948->3958 4045 403447 SetFilePointer 3948->4045 3949 403431 ReadFile 3949->3960 4044 403447 SetFilePointer 3950->4044 3952 4031f2 3954 402fb1 6 API calls 3952->3954 3954->3958 3955 4031a8 3959 403431 ReadFile 3955->3959 3956 4031da 3957 40324c 35 API calls 3956->3957 3963 4031e6 3957->3963 3958->3863 3961 4031b3 3959->3961 3960->3946 3960->3949 3960->3952 3960->3958 3962 402fb1 6 API calls 3960->3962 3961->3950 3961->3958 3962->3960 3963->3958 3963->3963 3964 403223 SetFilePointer 3963->3964 3964->3958 3966 4067d0 5 API calls 3965->3966 3967 403abe 3966->3967 3968 403ac4 3967->3968 3969 403ad6 3967->3969 4054 406322 wsprintfW 3968->4054 3970 4062a9 3 API calls 3969->3970 3971 403b06 3970->3971 3972 403b25 lstrcatW 3971->3972 3974 4062a9 3 API calls 3971->3974 3975 403ad4 3972->3975 3974->3972 4046 403d80 3975->4046 3978 405db8 18 API calls 3979 403b57 3978->3979 3980 403beb 3979->3980 3982 4062a9 3 API calls 3979->3982 3981 405db8 18 API calls 3980->3981 3985 403bf1 3981->3985 3983 403b89 3982->3983 3983->3980 3991 403baa lstrlenW 3983->3991 3995 405cdd CharNextW 3983->3995 3984 403c01 LoadImageW 3986 403ca7 3984->3986 3987 403c28 RegisterClassW 3984->3987 3985->3984 3988 406418 17 API calls 3985->3988 3990 40140b 2 API calls 3986->3990 3989 403c5e SystemParametersInfoW CreateWindowExW 3987->3989 4020 403cb1 3987->4020 3988->3984 3989->3986 3994 403cad 3990->3994 3992 403bb8 lstrcmpiW 3991->3992 3993 403bde 3991->3993 3992->3993 3997 403bc8 GetFileAttributesW 3992->3997 3998 405cb0 3 API calls 3993->3998 4000 403d80 18 API calls 3994->4000 3994->4020 3996 403ba7 3995->3996 3996->3991 3999 403bd4 3997->3999 4001 403be4 3998->4001 3999->3993 4002 405cfc 2 API calls 3999->4002 4003 403cbe 4000->4003 4055 4063db lstrcpynW 4001->4055 4002->3993 4005 403cca ShowWindow 4003->4005 4006 403d4d 4003->4006 4008 406760 3 API calls 4005->4008 4007 405516 5 API calls 4006->4007 4009 403d53 4007->4009 4010 403ce2 4008->4010 4011 403d57 4009->4011 4012 403d6f 4009->4012 4013 403cf0 GetClassInfoW 4010->4013 4017 406760 3 API calls 4010->4017 4019 40140b 2 API calls 4011->4019 4011->4020 4016 40140b 2 API calls 4012->4016 4014 403d04 GetClassInfoW RegisterClassW 4013->4014 4015 403d1a DialogBoxParamW 4013->4015 4014->4015 4018 40140b 2 API calls 4015->4018 4016->4020 4017->4013 4018->4020 4019->4020 4020->3881 4021->3868 4022->3904 4023->3869 4024->3910 4025->3922 4027 405f0d GetTickCount GetTempFileNameW 4026->4027 4028 405f43 4027->4028 4029 40348d 4027->4029 4028->4027 4028->4029 4029->3857 4030->3939 4031->3941 4032->3945 4034 402fd2 4033->4034 4035 402fba 4033->4035 4038 402fe2 GetTickCount 4034->4038 4039 402fda 4034->4039 4036 402fc3 DestroyWindow 4035->4036 4037 402fca 4035->4037 4036->4037 4037->3948 4041 402ff0 CreateDialogParamW ShowWindow 4038->4041 4042 403013 4038->4042 4040 40680c 2 API calls 4039->4040 4043 402fe0 4040->4043 4041->4042 4042->3948 4043->3948 4044->3956 4045->3955 4047 403d94 4046->4047 4056 406322 wsprintfW 4047->4056 4049 403e05 4057 403e39 4049->4057 4051 403b35 4051->3978 4052 403e0a 4052->4051 4053 406418 17 API calls 4052->4053 4053->4052 4054->3975 4055->3980 4056->4049 4058 406418 17 API calls 4057->4058 4059 403e47 SetWindowTextW 4058->4059 4059->4052 4550 40190f 4551 402d3e 17 API calls 4550->4551 4552 401916 4551->4552 4553 405a41 MessageBoxIndirectW 4552->4553 4554 40191f 4553->4554 4555 401491 4556 405443 24 API calls 4555->4556 4557 401498 4556->4557 4558 401f12 4559 402d3e 17 API calls 4558->4559 4560 401f18 4559->4560 4561 402d3e 17 API calls 4560->4561 4562 401f21 4561->4562 4563 402d3e 17 API calls 4562->4563 4564 401f2a 4563->4564 4565 402d3e 17 API calls 4564->4565 4566 401f33 4565->4566 4567 401423 24 API calls 4566->4567 4568 401f3a 4567->4568 4575 405a07 ShellExecuteExW 4568->4575 4570 401f82 4571 402925 4570->4571 4572 40687b 5 API calls 4570->4572 4573 401f9f CloseHandle 4572->4573 4573->4571 4575->4570 4576 402614 4577 402d3e 17 API calls 4576->4577 4578 40261b 4577->4578 4581 405ed1 GetFileAttributesW CreateFileW 4578->4581 4580 402627 4581->4580 4582 402596 4583 402d7e 17 API calls 4582->4583 4584 4025a0 4583->4584 4585 402d1c 17 API calls 4584->4585 4586 4025a9 4585->4586 4587 4025d1 RegEnumValueW 4586->4587 4588 4025c5 RegEnumKeyW 4586->4588 4590 402925 4586->4590 4589 4025e6 RegCloseKey 4587->4589 4588->4589 4589->4590 4592 401d17 4593 402d1c 17 API calls 4592->4593 4594 401d1d IsWindow 4593->4594 4595 401a20 4594->4595 4207 401b9b 4208 401bec 4207->4208 4213 401ba8 4207->4213 4209 401c16 GlobalAlloc 4208->4209 4211 401bf1 4208->4211 4212 406418 17 API calls 4209->4212 4210 406418 17 API calls 4215 40238f 4210->4215 4220 402395 4211->4220 4228 4063db lstrcpynW 4211->4228 4217 401c31 4212->4217 4214 401bbf 4213->4214 4213->4217 4226 4063db lstrcpynW 4214->4226 4222 405a41 MessageBoxIndirectW 4215->4222 4217->4210 4217->4220 4219 401c03 GlobalFree 4219->4220 4221 401bce 4227 4063db lstrcpynW 4221->4227 4222->4220 4224 401bdd 4229 4063db lstrcpynW 4224->4229 4226->4221 4227->4224 4228->4219 4229->4220 4236 402b9d SendMessageW 4237 402bc2 4236->4237 4238 402bb7 InvalidateRect 4236->4238 4238->4237 4603 404d9e GetDlgItem GetDlgItem 4604 404df2 7 API calls 4603->4604 4609 40501c 4603->4609 4605 404e9c DeleteObject 4604->4605 4606 404e8f SendMessageW 4604->4606 4607 404ea7 4605->4607 4606->4605 4610 404ede 4607->4610 4612 406418 17 API calls 4607->4612 4608 405104 4611 4051ad 4608->4611 4614 40500f 4608->4614 4619 40515a SendMessageW 4608->4619 4609->4608 4635 40508e 4609->4635 4657 404cec SendMessageW 4609->4657 4613 404331 18 API calls 4610->4613 4615 4051c2 4611->4615 4616 4051b6 SendMessageW 4611->4616 4617 404ec0 SendMessageW SendMessageW 4612->4617 4618 404ef2 4613->4618 4621 404398 8 API calls 4614->4621 4627 4051d4 ImageList_Destroy 4615->4627 4628 4051db 4615->4628 4632 4051eb 4615->4632 4616->4615 4617->4607 4623 404331 18 API calls 4618->4623 4619->4614 4625 40516f SendMessageW 4619->4625 4620 4050f6 SendMessageW 4620->4608 4626 4053b0 4621->4626 4636 404f03 4623->4636 4624 405364 4624->4614 4633 405376 ShowWindow GetDlgItem ShowWindow 4624->4633 4630 405182 4625->4630 4627->4628 4631 4051e4 GlobalFree 4628->4631 4628->4632 4629 404fde GetWindowLongW SetWindowLongW 4634 404ff7 4629->4634 4641 405193 SendMessageW 4630->4641 4631->4632 4632->4624 4650 405226 4632->4650 4662 404d6c 4632->4662 4633->4614 4637 405014 4634->4637 4638 404ffc ShowWindow 4634->4638 4635->4608 4635->4620 4636->4629 4640 404f56 SendMessageW 4636->4640 4642 404fd9 4636->4642 4644 404f94 SendMessageW 4636->4644 4645 404fa8 SendMessageW 4636->4645 4656 404366 SendMessageW 4637->4656 4655 404366 SendMessageW 4638->4655 4640->4636 4641->4611 4642->4629 4642->4634 4644->4636 4645->4636 4647 405330 4648 40533a InvalidateRect 4647->4648 4651 405346 4647->4651 4648->4651 4649 405254 SendMessageW 4654 40526a 4649->4654 4650->4649 4650->4654 4651->4624 4652 404ca7 20 API calls 4651->4652 4652->4624 4653 4052de SendMessageW SendMessageW 4653->4654 4654->4647 4654->4653 4655->4614 4656->4609 4658 404d4b SendMessageW 4657->4658 4659 404d0f GetMessagePos ScreenToClient SendMessageW 4657->4659 4660 404d43 4658->4660 4659->4660 4661 404d48 4659->4661 4660->4635 4661->4658 4671 4063db lstrcpynW 4662->4671 4664 404d7f 4672 406322 wsprintfW 4664->4672 4666 404d89 4667 40140b 2 API calls 4666->4667 4668 404d92 4667->4668 4673 4063db lstrcpynW 4668->4673 4670 404d99 4670->4650 4671->4664 4672->4666 4673->4670 4674 40149e 4675 402395 4674->4675 4676 4014ac PostQuitMessage 4674->4676 4676->4675 4677 4044a1 lstrlenW 4678 4044c0 4677->4678 4679 4044c2 WideCharToMultiByte 4677->4679 4678->4679 3571 4021a2 3572 402d3e 17 API calls 3571->3572 3573 4021a9 3572->3573 3574 402d3e 17 API calls 3573->3574 3575 4021b3 3574->3575 3576 402d3e 17 API calls 3575->3576 3577 4021bd 3576->3577 3578 402d3e 17 API calls 3577->3578 3579 4021c7 3578->3579 3580 402d3e 17 API calls 3579->3580 3582 4021d1 3580->3582 3581 402210 CoCreateInstance 3586 40222f 3581->3586 3582->3581 3583 402d3e 17 API calls 3582->3583 3583->3581 3584 401423 24 API calls 3585 4022ee 3584->3585 3586->3584 3586->3585 3587 404822 3588 40484e 3587->3588 3589 40485f 3587->3589 3667 405a25 GetDlgItemTextW 3588->3667 3591 40486b GetDlgItem 3589->3591 3593 4048d7 3589->3593 3596 40487f 3591->3596 3592 404859 3595 40668a 5 API calls 3592->3595 3594 4049ae 3593->3594 3598 404b5d 3593->3598 3601 406418 17 API calls 3593->3601 3594->3598 3654 405a25 GetDlgItemTextW 3594->3654 3595->3589 3597 404893 SetWindowTextW 3596->3597 3600 405d5b 4 API calls 3596->3600 3603 404331 18 API calls 3597->3603 3604 404398 8 API calls 3598->3604 3605 404889 3600->3605 3606 40493e SHBrowseForFolderW 3601->3606 3602 4049de 3607 405db8 18 API calls 3602->3607 3608 4048af 3603->3608 3609 404b71 3604->3609 3605->3597 3613 405cb0 3 API calls 3605->3613 3606->3594 3610 404956 CoTaskMemFree 3606->3610 3611 4049e4 3607->3611 3612 404331 18 API calls 3608->3612 3614 405cb0 3 API calls 3610->3614 3655 4063db lstrcpynW 3611->3655 3615 4048bd 3612->3615 3613->3597 3616 404963 3614->3616 3653 404366 SendMessageW 3615->3653 3619 40499a SetDlgItemTextW 3616->3619 3624 406418 17 API calls 3616->3624 3619->3594 3620 4049fb 3622 4067d0 5 API calls 3620->3622 3621 4048c3 3623 4067d0 5 API calls 3621->3623 3632 404a02 3622->3632 3625 4048ca 3623->3625 3626 404982 lstrcmpiW 3624->3626 3625->3598 3628 4048d2 SHAutoComplete 3625->3628 3626->3619 3630 404993 lstrcatW 3626->3630 3627 404a43 3668 4063db lstrcpynW 3627->3668 3628->3593 3630->3619 3631 404a11 GetDiskFreeSpaceExW 3631->3632 3640 404a9b 3631->3640 3632->3627 3632->3631 3635 405cfc 2 API calls 3632->3635 3633 404a4a 3634 405d5b 4 API calls 3633->3634 3636 404a50 3634->3636 3635->3632 3637 404a56 3636->3637 3638 404a59 GetDiskFreeSpaceW 3636->3638 3637->3638 3639 404a74 MulDiv 3638->3639 3638->3640 3639->3640 3641 404b0c 3640->3641 3656 404ca7 3640->3656 3643 404b2f 3641->3643 3669 40140b 3641->3669 3672 404353 KiUserCallbackDispatcher 3643->3672 3647 404b0e SetDlgItemTextW 3647->3641 3648 404afe 3659 404bde 3648->3659 3649 404b4b 3649->3598 3651 404b58 3649->3651 3673 40477b 3651->3673 3653->3621 3654->3602 3655->3620 3657 404bde 20 API calls 3656->3657 3658 404af9 3657->3658 3658->3647 3658->3648 3660 404bf7 3659->3660 3661 406418 17 API calls 3660->3661 3662 404c5b 3661->3662 3663 406418 17 API calls 3662->3663 3664 404c66 3663->3664 3665 406418 17 API calls 3664->3665 3666 404c7c lstrlenW wsprintfW SetDlgItemTextW 3665->3666 3666->3641 3667->3592 3668->3633 3670 401389 2 API calls 3669->3670 3671 401420 3670->3671 3671->3643 3672->3649 3674 404789 3673->3674 3675 40478e SendMessageW 3673->3675 3674->3675 3675->3598 3676 402522 3687 402d7e 3676->3687 3679 402d3e 17 API calls 3680 402535 3679->3680 3681 402540 RegQueryValueExW 3680->3681 3684 402925 3680->3684 3682 402560 3681->3682 3683 402566 RegCloseKey 3681->3683 3682->3683 3692 406322 wsprintfW 3682->3692 3683->3684 3688 402d3e 17 API calls 3687->3688 3689 402d95 3688->3689 3690 406248 RegOpenKeyExW 3689->3690 3691 40252c 3690->3691 3691->3679 3692->3683 4680 4015a3 4681 402d3e 17 API calls 4680->4681 4682 4015aa SetFileAttributesW 4681->4682 4683 4015bc 4682->4683 3715 401fa4 3716 402d3e 17 API calls 3715->3716 3717 401faa 3716->3717 3718 405443 24 API calls 3717->3718 3719 401fb4 3718->3719 3730 4059c4 CreateProcessW 3719->3730 3722 401fdd CloseHandle 3725 402925 3722->3725 3726 401fcf 3727 401fd4 3726->3727 3728 401fdf 3726->3728 3738 406322 wsprintfW 3727->3738 3728->3722 3731 401fba 3730->3731 3732 4059f7 CloseHandle 3730->3732 3731->3722 3731->3725 3733 40687b WaitForSingleObject 3731->3733 3732->3731 3734 406895 3733->3734 3735 4068a7 GetExitCodeProcess 3734->3735 3739 40680c 3734->3739 3735->3726 3738->3722 3740 406829 PeekMessageW 3739->3740 3741 406839 WaitForSingleObject 3740->3741 3742 40681f DispatchMessageW 3740->3742 3741->3734 3742->3740 3773 4023aa 3774 4023b2 3773->3774 3775 4023b8 3773->3775 3776 402d3e 17 API calls 3774->3776 3777 4023c6 3775->3777 3778 402d3e 17 API calls 3775->3778 3776->3775 3779 4023d4 3777->3779 3780 402d3e 17 API calls 3777->3780 3778->3777 3781 402d3e 17 API calls 3779->3781 3780->3779 3782 4023dd WritePrivateProfileStringW 3781->3782 4684 40202a 4685 402d3e 17 API calls 4684->4685 4686 402031 4685->4686 4687 4067d0 5 API calls 4686->4687 4688 402040 4687->4688 4689 40205c GlobalAlloc 4688->4689 4690 4020c4 4688->4690 4689->4690 4691 402070 4689->4691 4692 4067d0 5 API calls 4691->4692 4693 402077 4692->4693 4694 4067d0 5 API calls 4693->4694 4695 402081 4694->4695 4695->4690 4699 406322 wsprintfW 4695->4699 4697 4020b6 4700 406322 wsprintfW 4697->4700 4699->4697 4700->4690 4701 402f2b 4702 402f56 4701->4702 4703 402f3d SetTimer 4701->4703 4704 402fab 4702->4704 4705 402f70 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4702->4705 4703->4702 4705->4704 4706 40242c 4707 402434 4706->4707 4708 40245f 4706->4708 4709 402d7e 17 API calls 4707->4709 4710 402d3e 17 API calls 4708->4710 4711 40243b 4709->4711 4712 402466 4710->4712 4714 402d3e 17 API calls 4711->4714 4716 402473 4711->4716 4717 402dfc 4712->4717 4715 40244c RegDeleteValueW RegCloseKey 4714->4715 4715->4716 4718 402e09 4717->4718 4719 402e10 4717->4719 4718->4716 4719->4718 4721 402e41 4719->4721 4722 406248 RegOpenKeyExW 4721->4722 4723 402e6f 4722->4723 4724 402e7f RegEnumValueW 4723->4724 4731 402f19 4723->4731 4733 402ea2 4723->4733 4725 402f09 RegCloseKey 4724->4725 4724->4733 4725->4731 4726 402ede RegEnumKeyW 4727 402ee7 RegCloseKey 4726->4727 4726->4733 4728 4067d0 5 API calls 4727->4728 4729 402ef7 4728->4729 4729->4731 4732 402efb RegDeleteKeyW 4729->4732 4730 402e41 6 API calls 4730->4733 4731->4718 4732->4731 4733->4725 4733->4726 4733->4727 4733->4730 4734 406f2f 4736 40697e 4734->4736 4735 4072e9 4736->4735 4736->4736 4737 406a08 GlobalAlloc 4736->4737 4738 4069ff GlobalFree 4736->4738 4739 406a76 GlobalFree 4736->4739 4740 406a7f GlobalAlloc 4736->4740 4737->4735 4737->4736 4738->4737 4739->4740 4740->4735 4740->4736 4741 401a30 4742 402d3e 17 API calls 4741->4742 4743 401a39 ExpandEnvironmentStringsW 4742->4743 4744 401a60 4743->4744 4745 401a4d 4743->4745 4745->4744 4746 401a52 lstrcmpW 4745->4746 4746->4744 4759 401735 4760 402d3e 17 API calls 4759->4760 4761 40173c SearchPathW 4760->4761 4762 401757 4761->4762 4763 402636 4764 402665 4763->4764 4765 40264a 4763->4765 4767 402695 4764->4767 4768 40266a 4764->4768 4766 402d1c 17 API calls 4765->4766 4777 402651 4766->4777 4769 402d3e 17 API calls 4767->4769 4770 402d3e 17 API calls 4768->4770 4771 40269c lstrlenW 4769->4771 4772 402671 4770->4772 4771->4777 4780 4063fd WideCharToMultiByte 4772->4780 4774 402685 lstrlenA 4774->4777 4775 4026df 4776 4026c9 4776->4775 4778 405f83 WriteFile 4776->4778 4777->4775 4777->4776 4779 405fb2 5 API calls 4777->4779 4778->4775 4779->4776 4780->4774 4781 4053b7 4782 4053c7 4781->4782 4783 4053db 4781->4783 4785 405424 4782->4785 4786 4053cd 4782->4786 4784 4053e3 IsWindowVisible 4783->4784 4792 4053fa 4783->4792 4784->4785 4787 4053f0 4784->4787 4788 405429 CallWindowProcW 4785->4788 4789 40437d SendMessageW 4786->4789 4790 404cec 5 API calls 4787->4790 4791 4053d7 4788->4791 4789->4791 4790->4792 4792->4788 4793 404d6c 4 API calls 4792->4793 4793->4785 4801 401d38 4802 402d1c 17 API calls 4801->4802 4803 401d3f 4802->4803 4804 402d1c 17 API calls 4803->4804 4805 401d4b GetDlgItem 4804->4805 4806 402630 4805->4806 4807 4014b8 4808 4014be 4807->4808 4809 401389 2 API calls 4808->4809 4810 4014c6 4809->4810 4811 4028bb 4812 4028c1 4811->4812 4813 402bc2 4812->4813 4814 4028c9 FindClose 4812->4814 4814->4813

                                                                      Executed Functions

                                                                      Function 0040348F Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 410stringfilecomCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 0 40348f-4034cc SetErrorMode GetVersion 1 4034ce-4034d6 call 4067d0 0->1 2 4034df 0->2 1->2 7 4034d8 1->7 4 4034e4-4034f8 call 406760 lstrlenA 2->4 9 4034fa-403516 call 4067d0 * 3 4->9 7->2 16 403527-403586 #17 OleInitialize SHGetFileInfoW call 4063db GetCommandLineW call 4063db 9->16 17 403518-40351e 9->17 24 403590-4035aa call 405cdd CharNextW 16->24 25 403588-40358f 16->25 17->16 21 403520 17->21 21->16 28 4035b0-4035b6 24->28 29 4036c1-4036db GetTempPathW call 40345e 24->29 25->24 31 4035b8-4035bd 28->31 32 4035bf-4035c3 28->32 38 403733-40374d DeleteFileW call 403015 29->38 39 4036dd-4036fb GetWindowsDirectoryW lstrcatW call 40345e 29->39 31->31 31->32 34 4035c5-4035c9 32->34 35 4035ca-4035ce 32->35 34->35 36 4035d4-4035da 35->36 37 40368d-40369a call 405cdd 35->37 40 4035f5-40362e 36->40 41 4035dc-4035e4 36->41 57 40369c-40369d 37->57 58 40369e-4036a4 37->58 52 403753-403759 38->52 53 4037fe-40380e ExitProcess OleUninitialize 38->53 39->38 56 4036fd-40372d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40345e 39->56 48 403630-403635 40->48 49 40364b-403685 40->49 46 4035e6-4035e9 41->46 47 4035eb 41->47 46->40 46->47 47->40 48->49 54 403637-40363f 48->54 49->37 55 403687-40368b 49->55 60 4037ee-4037f5 call 403aaa 52->60 61 40375f-40376a call 405cdd 52->61 62 403934-40393a 53->62 63 403814-403824 call 405a41 ExitProcess 53->63 64 403641-403644 54->64 65 403646 54->65 55->37 66 4036ac-4036ba call 4063db 55->66 56->38 56->53 57->58 58->28 59 4036aa 58->59 68 4036bf 59->68 77 4037fa 60->77 83 4037b8-4037c2 61->83 84 40376c-4037a1 61->84 73 4039b8-4039c0 62->73 74 40393c-403952 GetCurrentProcess OpenProcessToken 62->74 64->49 64->65 65->49 66->68 68->29 78 4039c2 73->78 79 4039c6-4039ca ExitProcess 73->79 81 403954-403982 LookupPrivilegeValueW AdjustTokenPrivileges 74->81 82 403988-403996 call 4067d0 74->82 77->53 78->79 81->82 90 4039a4-4039af ExitWindowsEx 82->90 91 403998-4039a2 82->91 88 4037c4-4037d2 call 405db8 83->88 89 40382a-40383e call 4059ac lstrcatW 83->89 87 4037a3-4037a7 84->87 92 4037b0-4037b4 87->92 93 4037a9-4037ae 87->93 88->53 104 4037d4-4037ea call 4063db * 2 88->104 102 403840-403846 lstrcatW 89->102 103 40384b-403865 lstrcatW lstrcmpiW 89->103 90->73 96 4039b1-4039b3 call 40140b 90->96 91->90 91->96 92->87 97 4037b6 92->97 93->92 93->97 96->73 97->83 102->103 103->53 105 403867-40386a 103->105 104->60 107 403873 call 40598f 105->107 108 40386c-403871 call 405912 105->108 115 403878-403886 SetCurrentDirectoryW 107->115 108->115 116 403893-4038bc call 4063db 115->116 117 403888-40388e call 4063db 115->117 121 4038c1-4038dd call 406418 DeleteFileW 116->121 117->116 124 40391e-403926 121->124 125 4038df-4038ef CopyFileW 121->125 124->121 126 403928-40392f call 4061a1 124->126 125->124 127 4038f1-403911 call 4061a1 call 406418 call 4059c4 125->127 126->53 127->124 136 403913-40391a CloseHandle 127->136 136->124
                                                                      APIs
                                                                      • SetErrorMode.KERNELBASE ref: 004034B2
                                                                      • GetVersion.KERNEL32 ref: 004034B8
                                                                      • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034EB
                                                                      • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403528
                                                                      • OleInitialize.OLE32(00000000), ref: 0040352F
                                                                      • SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 0040354B
                                                                      • GetCommandLineW.KERNEL32(00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 00403560
                                                                      • CharNextW.USER32(00000000,"C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe",00000020,"C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe",00000000,?,00000007,00000009,0000000B), ref: 00403598
                                                                        • Part of subcall function 004067D0: GetModuleHandleA.KERNEL32(?,00000020,?,00403501,0000000B), ref: 004067E2
                                                                        • Part of subcall function 004067D0: GetProcAddress.KERNEL32(00000000,?), ref: 004067FD
                                                                      • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036D2
                                                                      • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036E3
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004036EF
                                                                      • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403703
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040370B
                                                                      • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040371C
                                                                      • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403724
                                                                      • DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403738
                                                                        • Part of subcall function 004063DB: lstrcpynW.KERNEL32(?,?,00000400,00403560,00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 004063E8
                                                                      • ExitProcess.KERNEL32(00000007,?,00000007,00000009,0000000B), ref: 004037FE
                                                                      • OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403803
                                                                      • ExitProcess.KERNEL32 ref: 00403824
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403837
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403846
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403851
                                                                      • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 0040385D
                                                                      • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403879
                                                                      • DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,00000009,?,00000007,00000009,0000000B), ref: 004038D3
                                                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe,00420EC8,00000001,?,00000007,00000009,0000000B), ref: 004038E7
                                                                      • CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000,?,00000007,00000009,0000000B), ref: 00403914
                                                                      • GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403943
                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 0040394A
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040395F
                                                                      • AdjustTokenPrivileges.ADVAPI32 ref: 00403982
                                                                      • ExitWindowsEx.USER32(00000002,80040002), ref: 004039A7
                                                                      • ExitProcess.KERNEL32 ref: 004039CA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                      • String ID: "C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe"$.tmp$1033$C:\Program Files\douwan$C:\Program Files\douwan$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                      • API String ID: 424501083-3468121379
                                                                      • Opcode ID: 97430e68c95331e7464638b3ab75a7fa917953175199bfd7f8bc8171f6a9fc7b
                                                                      • Instruction ID: 80ab2d28ddbf02fe5cd82fe477cea5b095f50d567d4594062ccc97c7db5cb5a9
                                                                      • Opcode Fuzzy Hash: 97430e68c95331e7464638b3ab75a7fa917953175199bfd7f8bc8171f6a9fc7b
                                                                      • Instruction Fuzzy Hash: 32D107B0204310ABD7207F659E45A3B3AACEB4470AF11447FF481F62E1DBBD8956876E
                                                                      Function 00405582 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 137 405582-40559d 138 4055a3-40566a GetDlgItem * 3 call 404366 call 404cbf GetClientRect GetSystemMetrics SendMessageW * 2 137->138 139 40572c-405733 137->139 160 405688-40568b 138->160 161 40566c-405686 SendMessageW * 2 138->161 141 405735-405757 GetDlgItem CreateThread CloseHandle 139->141 142 40575d-40576a 139->142 141->142 144 405788-405792 142->144 145 40576c-405772 142->145 149 405794-40579a 144->149 150 4057e8-4057ec 144->150 147 405774-405783 ShowWindow * 2 call 404366 145->147 148 4057ad-4057b6 call 404398 145->148 147->144 157 4057bb-4057bf 148->157 154 4057c2-4057d2 ShowWindow 149->154 155 40579c-4057a8 call 40430a 149->155 150->148 152 4057ee-4057f4 150->152 152->148 162 4057f6-405809 SendMessageW 152->162 158 4057e2-4057e3 call 40430a 154->158 159 4057d4-4057dd call 405443 154->159 155->148 158->150 159->158 166 40569b-4056b2 call 404331 160->166 167 40568d-405699 SendMessageW 160->167 161->160 168 40590b-40590d 162->168 169 40580f-40583a CreatePopupMenu call 406418 AppendMenuW 162->169 176 4056b4-4056c8 ShowWindow 166->176 177 4056e8-405709 GetDlgItem SendMessageW 166->177 167->166 168->157 174 40583c-40584c GetWindowRect 169->174 175 40584f-405864 TrackPopupMenu 169->175 174->175 175->168 179 40586a-405881 175->179 180 4056d7 176->180 181 4056ca-4056d5 ShowWindow 176->181 177->168 178 40570f-405727 SendMessageW * 2 177->178 178->168 183 405886-4058a1 SendMessageW 179->183 182 4056dd-4056e3 call 404366 180->182 181->182 182->177 183->183 184 4058a3-4058c6 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 183->184 186 4058c8-4058ef SendMessageW 184->186 186->186 187 4058f1-405905 GlobalUnlock SetClipboardData CloseClipboard 186->187 187->168
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,00000403), ref: 004055E0
                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004055EF
                                                                      • GetClientRect.USER32(?,?), ref: 0040562C
                                                                      • GetSystemMetrics.USER32(00000002), ref: 00405633
                                                                      • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405654
                                                                      • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405665
                                                                      • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405678
                                                                      • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405686
                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405699
                                                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056BB
                                                                      • ShowWindow.USER32(?,00000008), ref: 004056CF
                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004056F0
                                                                      • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405700
                                                                      • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405719
                                                                      • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405725
                                                                      • GetDlgItem.USER32(?,000003F8), ref: 004055FE
                                                                        • Part of subcall function 00404366: SendMessageW.USER32(00000028,?,00000001,00404191), ref: 00404374
                                                                      • GetDlgItem.USER32(?,000003EC), ref: 00405742
                                                                      • CreateThread.KERNELBASE(00000000,00000000,Function_00005516,00000000), ref: 00405750
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00405757
                                                                      • ShowWindow.USER32(00000000), ref: 0040577B
                                                                      • ShowWindow.USER32(?,00000008), ref: 00405780
                                                                      • ShowWindow.USER32(00000008), ref: 004057CA
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004057FE
                                                                      • CreatePopupMenu.USER32 ref: 0040580F
                                                                      • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405823
                                                                      • GetWindowRect.USER32(?,?), ref: 00405843
                                                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040585C
                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405894
                                                                      • OpenClipboard.USER32(00000000), ref: 004058A4
                                                                      • EmptyClipboard.USER32 ref: 004058AA
                                                                      • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058B6
                                                                      • GlobalLock.KERNEL32(00000000), ref: 004058C0
                                                                      • SendMessageW.USER32(?,00001073,00000000,?), ref: 004058D4
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 004058F4
                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004058FF
                                                                      • CloseClipboard.USER32 ref: 00405905
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                      • String ID: {
                                                                      • API String ID: 590372296-366298937
                                                                      • Opcode ID: 30274ff220e81b54042d5ec4385cd695e560e63cfee1f62d03a7a46aa2ec4b26
                                                                      • Instruction ID: 548bfd7703c7e8b67cc6bd423be8dd859740628245fa72e8840ee51ebf386eb0
                                                                      • Opcode Fuzzy Hash: 30274ff220e81b54042d5ec4385cd695e560e63cfee1f62d03a7a46aa2ec4b26
                                                                      • Instruction Fuzzy Hash: D0B159B0900609FFDB11AF61DD89AAE7B79FB44354F00803AFA45B61A0C7754E51DF68
                                                                      Function 00404822 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 275stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 411 404822-40484c 412 40484e-40485a call 405a25 call 40668a 411->412 413 40485f-404869 411->413 412->413 415 4048d7-4048de 413->415 416 40486b-404881 GetDlgItem call 405d27 413->416 417 4048e4-4048ed 415->417 418 4049b5-4049bc 415->418 427 404893-4048cc SetWindowTextW call 404331 * 2 call 404366 call 4067d0 416->427 428 404883-40488b call 405d5b 416->428 421 404907-40490c 417->421 422 4048ef-4048fa 417->422 423 4049cb-4049e6 call 405a25 call 405db8 418->423 424 4049be-4049c5 418->424 421->418 431 404912-404954 call 406418 SHBrowseForFolderW 421->431 429 404900 422->429 430 404b63-404b75 call 404398 422->430 450 4049e8 423->450 451 4049ef-404a07 call 4063db call 4067d0 423->451 424->423 424->430 427->430 469 4048d2-4048d5 SHAutoComplete 427->469 428->427 443 40488d-40488e call 405cb0 428->443 429->421 444 404956-404970 CoTaskMemFree call 405cb0 431->444 445 4049ae 431->445 443->427 456 404972-404978 444->456 457 40499a-4049ac SetDlgItemTextW 444->457 445->418 450->451 467 404a43-404a54 call 4063db call 405d5b 451->467 468 404a09-404a0f 451->468 456->457 460 40497a-404991 call 406418 lstrcmpiW 456->460 457->418 460->457 471 404993-404995 lstrcatW 460->471 485 404a56 467->485 486 404a59-404a72 GetDiskFreeSpaceW 467->486 468->467 472 404a11-404a23 GetDiskFreeSpaceExW 468->472 469->415 471->457 473 404a25-404a27 472->473 474 404a9b-404ab5 472->474 476 404a29 473->476 477 404a2c-404a41 call 405cfc 473->477 479 404ab7 474->479 476->477 477->467 477->472 482 404abc-404ac6 call 404cbf 479->482 489 404ae1-404aea 482->489 490 404ac8-404acf 482->490 485->486 486->479 488 404a74-404a99 MulDiv 486->488 488->482 492 404b1c-404b26 489->492 493 404aec-404afc call 404ca7 489->493 490->489 491 404ad1 490->491 494 404ad3-404ad8 491->494 495 404ada 491->495 497 404b32-404b38 492->497 498 404b28-404b2f call 40140b 492->498 505 404b0e-404b17 SetDlgItemTextW 493->505 506 404afe-404b07 call 404bde 493->506 494->489 494->495 495->489 500 404b3a 497->500 501 404b3d-404b4e call 404353 497->501 498->497 500->501 509 404b50-404b56 501->509 510 404b5d 501->510 505->492 511 404b0c 506->511 509->510 512 404b58 call 40477b 509->512 510->430 511->492 512->510
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003FB), ref: 00404871
                                                                      • SetWindowTextW.USER32(00000000,?), ref: 0040489B
                                                                      • SHAutoComplete.SHLWAPI(00000000,00000001,00000008,00000000,?,00000014,?,?,00000001,?), ref: 004048D5
                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 0040494C
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00404957
                                                                      • lstrcmpiW.KERNEL32(Remove folder: ,00423708,00000000,?,?), ref: 00404989
                                                                      • lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404995
                                                                      • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049A7
                                                                        • Part of subcall function 00405A25: GetDlgItemTextW.USER32(?,?,00000400,004049DE), ref: 00405A38
                                                                        • Part of subcall function 0040668A: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 004066ED
                                                                        • Part of subcall function 0040668A: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 004066FC
                                                                        • Part of subcall function 0040668A: CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406701
                                                                        • Part of subcall function 0040668A: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406714
                                                                      • GetDiskFreeSpaceExW.KERNELBASE(004216D8,?,?,?,00000001,004216D8,?,?,000003FB,?), ref: 00404A1E
                                                                      • GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404A6A
                                                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404A85
                                                                        • Part of subcall function 00404BDE: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C7F
                                                                        • Part of subcall function 00404BDE: wsprintfW.USER32 ref: 00404C88
                                                                        • Part of subcall function 00404BDE: SetDlgItemTextW.USER32(?,00423708), ref: 00404C9B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CharItemText$FreeNext$DiskSpace$AutoBrowseCompleteFolderPrevTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                      • String ID: A$C:\Program Files\douwan$Remove folder:
                                                                      • API String ID: 4039761011-903848360
                                                                      • Opcode ID: 03aa1e1e8a7938e868f1155200cdfee246f5add4c9c386fb6b0602fffaeb6448
                                                                      • Instruction ID: d667353cedc46192e8d163e6c277cef07b4b15ed6202573052c67ff26174fc6d
                                                                      • Opcode Fuzzy Hash: 03aa1e1e8a7938e868f1155200cdfee246f5add4c9c386fb6b0602fffaeb6448
                                                                      • Instruction Fuzzy Hash: 02A194B1A00209ABDB11AFA5CD45AAF77B8EF84314F10803BF611B62D1D77C99418F6D
                                                                      Function 00405AED Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 644 405aed-405b13 call 405db8 647 405b15-405b27 DeleteFileW 644->647 648 405b2c-405b33 644->648 649 405ca9-405cad 647->649 650 405b35-405b37 648->650 651 405b46-405b56 call 4063db 648->651 653 405c57-405c5c 650->653 654 405b3d-405b40 650->654 657 405b65-405b66 call 405cfc 651->657 658 405b58-405b63 lstrcatW 651->658 653->649 656 405c5e-405c61 653->656 654->651 654->653 659 405c63-405c69 656->659 660 405c6b-405c73 call 406739 656->660 661 405b6b-405b6f 657->661 658->661 659->649 660->649 668 405c75-405c89 call 405cb0 call 405aa5 660->668 664 405b71-405b79 661->664 665 405b7b-405b81 lstrcatW 661->665 664->665 667 405b86-405ba2 lstrlenW FindFirstFileW 664->667 665->667 669 405ba8-405bb0 667->669 670 405c4c-405c50 667->670 684 405ca1-405ca4 call 405443 668->684 685 405c8b-405c8e 668->685 673 405bd0-405be4 call 4063db 669->673 674 405bb2-405bba 669->674 670->653 672 405c52 670->672 672->653 686 405be6-405bee 673->686 687 405bfb-405c06 call 405aa5 673->687 676 405bbc-405bc4 674->676 677 405c2f-405c3f FindNextFileW 674->677 676->673 682 405bc6-405bce 676->682 677->669 681 405c45-405c46 FindClose 677->681 681->670 682->673 682->677 684->649 685->659 688 405c90-405c9f call 405443 call 4061a1 685->688 686->677 689 405bf0-405bf9 call 405aed 686->689 697 405c27-405c2a call 405443 687->697 698 405c08-405c0b 687->698 688->649 689->677 697->677 701 405c0d-405c1d call 405443 call 4061a1 698->701 702 405c1f-405c25 698->702 701->677 702->677
                                                                      APIs
                                                                      • DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B16
                                                                      • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\*.*,\*.*), ref: 00405B5E
                                                                      • lstrcatW.KERNEL32(?,0040A014), ref: 00405B81
                                                                      • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B87
                                                                      • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\*.*,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B97
                                                                      • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C37
                                                                      • FindClose.KERNEL32(00000000), ref: 00405C46
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                      • String ID: "C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\*.*$\*.*
                                                                      • API String ID: 2035342205-1965358255
                                                                      • Opcode ID: 9036ba2aa722766dc29abb0410fb58961029e1c042b72e4e8ea17b50247261c3
                                                                      • Instruction ID: 6d977be599016ad98dbda8fdbba8a7eaa4df1add9cdfb0a4bac278b573c77b22
                                                                      • Opcode Fuzzy Hash: 9036ba2aa722766dc29abb0410fb58961029e1c042b72e4e8ea17b50247261c3
                                                                      • Instruction Fuzzy Hash: 1A41D530904A18AAEB216B65DC8AABF7678EF41718F10413FF801B11D1D77C5AC1DEAE
                                                                      Function 00406AFA Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8e4b5ecac14f05fa2fd75170ea9dc483b74f0c48ec088bd1d9ad5172d207252c
                                                                      • Instruction ID: 1b8bdd5ad4fc83de7ba6cec7d94a6212227b50c179fbf06187fd9840cc1d6bdc
                                                                      • Opcode Fuzzy Hash: 8e4b5ecac14f05fa2fd75170ea9dc483b74f0c48ec088bd1d9ad5172d207252c
                                                                      • Instruction Fuzzy Hash: 44F18770D04229CBDF18CFA8C8946ADBBB1FF45305F25816ED852BB281D7386A86DF45
                                                                      Function 00406739 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNELBASE(74DF3420,00426758,00425F10,00405E01,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00406744
                                                                      • FindClose.KERNEL32(00000000), ref: 00406750
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Find$CloseFileFirst
                                                                      • String ID: XgB
                                                                      • API String ID: 2295610775-796949446
                                                                      • Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                                                      • Instruction ID: 870aa7139b81afaf1942c507467f7acad87ed8de72819481db2edd1f78cd0942
                                                                      • Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
                                                                      • Instruction Fuzzy Hash: 09D012316042305FC35127387E4C84B7B9A9F563393228B76B5AAF21E0C7748C3287AC
                                                                      Function 004021A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221
                                                                      Strings
                                                                      • C:\Program Files\douwan, xrefs: 00402261
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CreateInstance
                                                                      • String ID: C:\Program Files\douwan
                                                                      • API String ID: 542301482-869346558
                                                                      • Opcode ID: ee6a8428052df5805d107c8c5a2719c4b59fc84213f623760ea1d3354a2c3362
                                                                      • Instruction ID: ffb8b13858b70c1ff9263f9ad1230fafd83ab24b06fb2866c5c71dc23dde5df7
                                                                      • Opcode Fuzzy Hash: ee6a8428052df5805d107c8c5a2719c4b59fc84213f623760ea1d3354a2c3362
                                                                      • Instruction Fuzzy Hash: 1F411675A00209AFCF00DFE4C989A9E7BB6FF48304B2045AAF515EB2D1DB799981CB54
                                                                      Function 00403E58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 188 403e58-403e6a 189 403e70-403e76 188->189 190 403fab-403fba 188->190 189->190 191 403e7c-403e85 189->191 192 404009-40401e 190->192 193 403fbc-404004 GetDlgItem * 2 call 404331 SetClassLongW call 40140b 190->193 194 403e87-403e94 SetWindowPos 191->194 195 403e9a-403e9d 191->195 197 404020-404023 192->197 198 40405e-404063 call 40437d 192->198 193->192 194->195 199 403eb7-403ebd 195->199 200 403e9f-403eb1 ShowWindow 195->200 202 404025-404030 call 401389 197->202 203 404056-404058 197->203 205 404068-404083 198->205 206 403ed9-403edc 199->206 207 403ebf-403ed4 DestroyWindow 199->207 200->199 202->203 225 404032-404051 SendMessageW 202->225 203->198 210 4042fe 203->210 211 404085-404087 call 40140b 205->211 212 40408c-404092 205->212 216 403ede-403eea SetWindowLongW 206->216 217 403eef-403ef5 206->217 213 4042db-4042e1 207->213 215 404300-404307 210->215 211->212 221 404098-4040a3 212->221 222 4042bc-4042d5 DestroyWindow KiUserCallbackDispatcher 212->222 213->210 220 4042e3-4042e9 213->220 216->215 223 403f98-403fa6 call 404398 217->223 224 403efb-403f0c GetDlgItem 217->224 220->210 226 4042eb-4042f4 ShowWindow 220->226 221->222 227 4040a9-4040f6 call 406418 call 404331 * 3 GetDlgItem 221->227 222->213 223->215 228 403f2b-403f2e 224->228 229 403f0e-403f25 SendMessageW IsWindowEnabled 224->229 225->215 226->210 258 404100-40413c ShowWindow KiUserCallbackDispatcher call 404353 KiUserCallbackDispatcher 227->258 259 4040f8-4040fd 227->259 233 403f30-403f31 228->233 234 403f33-403f36 228->234 229->210 229->228 236 403f61-403f66 call 40430a 233->236 237 403f44-403f49 234->237 238 403f38-403f3e 234->238 236->223 239 403f4b-403f51 237->239 240 403f7f-403f92 SendMessageW 237->240 238->240 243 403f40-403f42 238->243 244 403f53-403f59 call 40140b 239->244 245 403f68-403f71 call 40140b 239->245 240->223 243->236 254 403f5f 244->254 245->223 255 403f73-403f7d 245->255 254->236 255->254 262 404141 258->262 263 40413e-40413f 258->263 259->258 264 404143-404171 GetSystemMenu EnableMenuItem SendMessageW 262->264 263->264 265 404173-404184 SendMessageW 264->265 266 404186 264->266 267 40418c-4041cb call 404366 call 403e39 call 4063db lstrlenW call 406418 SetWindowTextW call 401389 265->267 266->267 267->205 278 4041d1-4041d3 267->278 278->205 279 4041d9-4041dd 278->279 280 4041fc-404210 DestroyWindow 279->280 281 4041df-4041e5 279->281 280->213 283 404216-404243 CreateDialogParamW 280->283 281->210 282 4041eb-4041f1 281->282 282->205 284 4041f7 282->284 283->213 285 404249-4042a0 call 404331 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 283->285 284->210 285->210 290 4042a2-4042b5 ShowWindow call 40437d 285->290 292 4042ba 290->292 292->213
                                                                      APIs
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E94
                                                                      • ShowWindow.USER32(?), ref: 00403EB1
                                                                      • DestroyWindow.USER32 ref: 00403EC5
                                                                      • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EE1
                                                                      • GetDlgItem.USER32(?,?), ref: 00403F02
                                                                      • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F16
                                                                      • IsWindowEnabled.USER32(00000000), ref: 00403F1D
                                                                      • GetDlgItem.USER32(?,00000001), ref: 00403FCB
                                                                      • GetDlgItem.USER32(?,00000002), ref: 00403FD5
                                                                      • SetClassLongW.USER32(?,000000F2,?), ref: 00403FEF
                                                                      • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404040
                                                                      • GetDlgItem.USER32(?,00000003), ref: 004040E6
                                                                      • ShowWindow.USER32(00000000,?), ref: 00404107
                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404119
                                                                      • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404134
                                                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040414A
                                                                      • EnableMenuItem.USER32(00000000), ref: 00404151
                                                                      • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404169
                                                                      • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040417C
                                                                      • lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004041A6
                                                                      • SetWindowTextW.USER32(?,00423708), ref: 004041BA
                                                                      • ShowWindow.USER32(?,0000000A), ref: 004042EE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Item$MessageSend$Show$CallbackDispatcherLongMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
                                                                      • String ID:
                                                                      • API String ID: 1252290697-0
                                                                      • Opcode ID: 0b7f36f750eebe6e1f161721f6fbfdbf0deb52ea427a9cf17ec2d27919205841
                                                                      • Instruction ID: 0a9eb52b79e7a1f6ac08be675ff74ca1e342e547d7f0445f300758720cde36e9
                                                                      • Opcode Fuzzy Hash: 0b7f36f750eebe6e1f161721f6fbfdbf0deb52ea427a9cf17ec2d27919205841
                                                                      • Instruction Fuzzy Hash: 0EC1D0B1600305EBDB216F62ED88D2A3A78FB95745F51053EFA42B11F0CB794852DB2D
                                                                      Function 00403AAA Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 293 403aaa-403ac2 call 4067d0 296 403ac4-403ad4 call 406322 293->296 297 403ad6-403b0d call 4062a9 293->297 305 403b30-403b59 call 403d80 call 405db8 296->305 301 403b25-403b2b lstrcatW 297->301 302 403b0f-403b20 call 4062a9 297->302 301->305 302->301 311 403beb-403bf3 call 405db8 305->311 312 403b5f-403b64 305->312 318 403c01-403c26 LoadImageW 311->318 319 403bf5-403bfc call 406418 311->319 312->311 313 403b6a-403b84 call 4062a9 312->313 317 403b89-403b92 313->317 317->311 322 403b94-403b98 317->322 320 403ca7-403caf call 40140b 318->320 321 403c28-403c58 RegisterClassW 318->321 319->318 336 403cb1-403cb4 320->336 337 403cb9-403cc4 call 403d80 320->337 324 403d76 321->324 325 403c5e-403ca2 SystemParametersInfoW CreateWindowExW 321->325 327 403baa-403bb6 lstrlenW 322->327 328 403b9a-403ba7 call 405cdd 322->328 329 403d78-403d7f 324->329 325->320 330 403bb8-403bc6 lstrcmpiW 327->330 331 403bde-403be6 call 405cb0 call 4063db 327->331 328->327 330->331 335 403bc8-403bd2 GetFileAttributesW 330->335 331->311 339 403bd4-403bd6 335->339 340 403bd8-403bd9 call 405cfc 335->340 336->329 346 403cca-403ce4 ShowWindow call 406760 337->346 347 403d4d-403d4e call 405516 337->347 339->331 339->340 340->331 354 403cf0-403d02 GetClassInfoW 346->354 355 403ce6-403ceb call 406760 346->355 350 403d53-403d55 347->350 352 403d57-403d5d 350->352 353 403d6f-403d71 call 40140b 350->353 352->336 358 403d63-403d6a call 40140b 352->358 353->324 356 403d04-403d14 GetClassInfoW RegisterClassW 354->356 357 403d1a-403d3d DialogBoxParamW call 40140b 354->357 355->354 356->357 363 403d42-403d4b call 4039fa 357->363 358->336 363->329
                                                                      APIs
                                                                        • Part of subcall function 004067D0: GetModuleHandleA.KERNEL32(?,00000020,?,00403501,0000000B), ref: 004067E2
                                                                        • Part of subcall function 004067D0: GetProcAddress.KERNEL32(00000000,?), ref: 004067FD
                                                                      • lstrcatW.KERNEL32(1033,00423708), ref: 00403B2B
                                                                      • lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files\douwan,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,74DF3420), ref: 00403BAB
                                                                      • lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files\douwan,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403BBE
                                                                      • GetFileAttributesW.KERNEL32(Remove folder: ), ref: 00403BC9
                                                                      • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files\douwan), ref: 00403C12
                                                                        • Part of subcall function 00406322: wsprintfW.USER32 ref: 0040632F
                                                                      • RegisterClassW.USER32(004291C0), ref: 00403C4F
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C67
                                                                      • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C9C
                                                                      • ShowWindow.USER32(00000005,00000000), ref: 00403CD2
                                                                      • GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403CFE
                                                                      • GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403D0B
                                                                      • RegisterClassW.USER32(004291C0), ref: 00403D14
                                                                      • DialogBoxParamW.USER32(?,00000000,00403E58,00000000), ref: 00403D33
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                      • String ID: "C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files\douwan$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                      • API String ID: 1975747703-293549253
                                                                      • Opcode ID: f45dbe301eae32004318a3f9e680f07a8516310e0cd2211a6b62600ea06e2d0b
                                                                      • Instruction ID: a24d2e849b10ad8e1ed533e9d37a820f5d0e6b510d4fa7617ff35d8301a60578
                                                                      • Opcode Fuzzy Hash: f45dbe301eae32004318a3f9e680f07a8516310e0cd2211a6b62600ea06e2d0b
                                                                      • Instruction Fuzzy Hash: E761B670244600BAD720AF669D45E2B3A7CEB84B0AF40457FFD41B62E2DB7D5912CA2D
                                                                      Function 004044F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 367 4044f0-404502 368 404622-40462f 367->368 369 404508-404510 367->369 370 404631-40463a 368->370 371 40468c-404690 368->371 372 404512-404521 369->372 373 404523-404547 369->373 374 404640-404646 370->374 375 404765 370->375 378 404756-40475d 371->378 379 404696-4046ae GetDlgItem 371->379 372->373 376 404550-4045cb call 404331 * 2 CheckDlgButton call 404353 GetDlgItem call 404366 SendMessageW 373->376 377 404549 373->377 374->375 380 40464c-404657 374->380 383 404768-40476f call 404398 375->383 409 4045d6-40461d SendMessageW * 2 lstrlenW SendMessageW * 2 376->409 410 4045cd-4045d0 GetSysColor 376->410 377->376 378->375 382 40475f 378->382 384 4046b0-4046b7 379->384 385 404717-40471e 379->385 380->375 387 40465d-404687 GetDlgItem SendMessageW call 404353 call 40477b 380->387 382->375 394 404774-404778 383->394 384->385 390 4046b9-4046d4 384->390 385->383 386 404720-404727 385->386 386->383 391 404729-40472d 386->391 387->371 390->385 395 4046d6-404714 SendMessageW LoadCursorW SetCursor call 40479f LoadCursorW SetCursor 390->395 396 40473f-404743 391->396 397 40472f-40473d SendMessageW 391->397 395->385 402 404751-404754 396->402 403 404745-40474f SendMessageW 396->403 397->396 402->394 403->402 409->394 410->409
                                                                      APIs
                                                                      • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040458E
                                                                      • GetDlgItem.USER32(?,000003E8), ref: 004045A2
                                                                      • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045BF
                                                                      • GetSysColor.USER32(?), ref: 004045D0
                                                                      • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004045DE
                                                                      • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004045EC
                                                                      • lstrlenW.KERNEL32(?), ref: 004045F1
                                                                      • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004045FE
                                                                      • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404613
                                                                      • GetDlgItem.USER32(?,0000040A), ref: 0040466C
                                                                      • SendMessageW.USER32(00000000), ref: 00404673
                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0040469E
                                                                      • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004046E1
                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 004046EF
                                                                      • SetCursor.USER32(00000000), ref: 004046F2
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0040470B
                                                                      • SetCursor.USER32(00000000), ref: 0040470E
                                                                      • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040473D
                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040474F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                      • String ID: N$Remove folder: $gD@
                                                                      • API String ID: 3103080414-2607294653
                                                                      • Opcode ID: c2a8691b99c0880d176a200d2dcbd178e790d1d94455f1632e384604a8e92c19
                                                                      • Instruction ID: c6d0c18f0759a08483bb7b351ebc970df30fae26c4fd20534e815ca7361c8267
                                                                      • Opcode Fuzzy Hash: c2a8691b99c0880d176a200d2dcbd178e790d1d94455f1632e384604a8e92c19
                                                                      • Instruction Fuzzy Hash: FB6171B1900209BFDF10AF64DD85AAA7B69FB85314F00813AFA05B72D0D7789D51DB98
                                                                      Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 514 403015-403063 GetTickCount GetModuleFileNameW call 405ed1 517 403065-40306a 514->517 518 40306f-40309d call 4063db call 405cfc call 4063db GetFileSize 514->518 520 403245-403249 517->520 526 4030a3 518->526 527 403188-403196 call 402fb1 518->527 529 4030a8-4030bf 526->529 533 403198-40319b 527->533 534 4031eb-4031f0 527->534 531 4030c1 529->531 532 4030c3-4030cc call 403431 529->532 531->532 540 4031f2-4031fa call 402fb1 532->540 541 4030d2-4030d9 532->541 536 40319d-4031b5 call 403447 call 403431 533->536 537 4031bf-4031e9 GlobalAlloc call 403447 call 40324c 533->537 534->520 536->534 563 4031b7-4031bd 536->563 537->534 561 4031fc-40320d 537->561 540->534 545 403155-403159 541->545 546 4030db-4030ef call 405e8c 541->546 551 403163-403169 545->551 552 40315b-403162 call 402fb1 545->552 546->551 560 4030f1-4030f8 546->560 557 403178-403180 551->557 558 40316b-403175 call 4068bd 551->558 552->551 557->529 562 403186 557->562 558->557 560->551 567 4030fa-403101 560->567 568 403215-40321a 561->568 569 40320f 561->569 562->527 563->534 563->537 567->551 570 403103-40310a 567->570 571 40321b-403221 568->571 569->568 570->551 572 40310c-403113 570->572 571->571 573 403223-40323e SetFilePointer call 405e8c 571->573 572->551 574 403115-403135 572->574 577 403243 573->577 574->534 576 40313b-40313f 574->576 578 403141-403145 576->578 579 403147-40314f 576->579 577->520 578->562 578->579 579->551 580 403151-403153 579->580 580->551
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00403026
                                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe,00000400,?,00000007,00000009,0000000B), ref: 00403042
                                                                        • Part of subcall function 00405ED1: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405ED5
                                                                        • Part of subcall function 00405ED1: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405EF7
                                                                      • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe,C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
                                                                      • GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                      • String ID: "C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                      • API String ID: 2803837635-3695797648
                                                                      • Opcode ID: fa13849d2eaab58bf90f01742d0d046995d4f5e6307ade025cca05ed6f7e5f90
                                                                      • Instruction ID: a1180c22f2f56a455fdba696775536d8b2bad2e91b267b1d20a8a943b96b17b0
                                                                      • Opcode Fuzzy Hash: fa13849d2eaab58bf90f01742d0d046995d4f5e6307ade025cca05ed6f7e5f90
                                                                      • Instruction Fuzzy Hash: DD51E571904204ABDB209F64DD81B9E7EACEB05316F20407BF905BA3D1C77D8E81876D
                                                                      Function 00406418 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 581 406418-406423 582 406425-406434 581->582 583 406436-40644c 581->583 582->583 584 406452-40645f 583->584 585 406664-40666a 583->585 584->585 588 406465-40646c 584->588 586 406670-40667b 585->586 587 406471-40647e 585->587 589 406686-406687 586->589 590 40667d-406681 call 4063db 586->590 587->586 591 406484-406490 587->591 588->585 590->589 593 406651 591->593 594 406496-4064d4 591->594 597 406653-40665d 593->597 598 40665f-406662 593->598 595 4065f4-4065f8 594->595 596 4064da-4064e5 594->596 601 4065fa-406600 595->601 602 40662b-40662f 595->602 599 4064e7-4064ec 596->599 600 4064fe 596->600 597->585 598->585 599->600 603 4064ee-4064f1 599->603 606 406505-40650c 600->606 604 406610-40661c call 4063db 601->604 605 406602-40660e call 406322 601->605 607 406631-406639 call 406418 602->607 608 40663e-40664f lstrlenW 602->608 603->600 609 4064f3-4064f6 603->609 619 406621-406627 604->619 605->619 611 406511-406513 606->611 612 40650e-406510 606->612 607->608 608->585 609->600 615 4064f8-4064fc 609->615 617 406515-406533 call 4062a9 611->617 618 40654e-406551 611->618 612->611 615->606 627 406538-40653c 617->627 620 406561-406564 618->620 621 406553-40655f GetSystemDirectoryW 618->621 619->608 623 406629 619->623 625 406566-406574 GetWindowsDirectoryW 620->625 626 4065cf-4065d1 620->626 624 4065d3-4065d7 621->624 628 4065ec-4065f2 call 40668a 623->628 624->628 633 4065d9 624->633 625->626 626->624 630 406576-406580 626->630 631 406542-406549 call 406418 627->631 632 4065dc-4065df 627->632 628->608 635 406582-406585 630->635 636 40659a-4065b0 SHGetSpecialFolderLocation 630->636 631->624 632->628 638 4065e1-4065e7 lstrcatW 632->638 633->632 635->636 639 406587-40658e 635->639 640 4065b2-4065c9 SHGetPathFromIDListW CoTaskMemFree 636->640 641 4065cb 636->641 638->628 643 406596-406598 639->643 640->624 640->641 641->626 643->624 643->636
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 00406559
                                                                      • GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,?,0040547A,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00000000), ref: 0040656C
                                                                      • SHGetSpecialFolderLocation.SHELL32(0040547A,0360FDB4,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,?,0040547A,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00000000), ref: 004065A8
                                                                      • SHGetPathFromIDListW.SHELL32(0360FDB4,Remove folder: ), ref: 004065B6
                                                                      • CoTaskMemFree.OLE32(0360FDB4), ref: 004065C1
                                                                      • lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 004065E7
                                                                      • lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,?,0040547A,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00000000), ref: 0040663F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                      • String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                      • API String ID: 717251189-1818881141
                                                                      • Opcode ID: cf374de42321b31fcab9823a1dcbef99d7930476f55158ac4637f493945dcad9
                                                                      • Instruction ID: 14d1193dfffb306d7d50c4759d5107437c4365ff0453e231a2932b6079d00088
                                                                      • Opcode Fuzzy Hash: cf374de42321b31fcab9823a1dcbef99d7930476f55158ac4637f493945dcad9
                                                                      • Instruction Fuzzy Hash: 27612771A00111ABDF209F24ED40ABE37A5AF54314F12813FE943B62D0DB3E89A2CB5D
                                                                      Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 708 40176f-401794 call 402d3e call 405d27 713 401796-40179c call 4063db 708->713 714 40179e-4017b0 call 4063db call 405cb0 lstrcatW 708->714 719 4017b5-4017b6 call 40668a 713->719 714->719 723 4017bb-4017bf 719->723 724 4017c1-4017cb call 406739 723->724 725 4017f2-4017f5 723->725 733 4017dd-4017ef 724->733 734 4017cd-4017db CompareFileTime 724->734 726 4017f7-4017f8 call 405eac 725->726 727 4017fd-401819 call 405ed1 725->727 726->727 735 40181b-40181e 727->735 736 40188d-4018b6 call 405443 call 40324c 727->736 733->725 734->733 737 401820-40185e call 4063db * 2 call 406418 call 4063db call 405a41 735->737 738 40186f-401879 call 405443 735->738 750 4018b8-4018bc 736->750 751 4018be-4018ca SetFileTime 736->751 737->723 770 401864-401865 737->770 748 401882-401888 738->748 753 402bcb 748->753 750->751 752 4018d0-4018db FindCloseChangeNotification 750->752 751->752 756 4018e1-4018e4 752->756 757 402bc2-402bc5 752->757 755 402bcd-402bd1 753->755 759 4018e6-4018f7 call 406418 lstrcatW 756->759 760 4018f9-4018fc call 406418 756->760 757->753 767 401901-40239a call 405a41 759->767 760->767 767->755 767->757 770->748 772 401867-401868 770->772 772->738
                                                                      APIs
                                                                      • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                                                                      • CompareFileTime.KERNEL32(-00000014,?,"C:\Program Files\douwan\DouWan.exe","C:\Program Files\douwan\DouWan.exe",00000000,00000000,"C:\Program Files\douwan\DouWan.exe",C:\Program Files\douwan,?,?,00000031), ref: 004017D5
                                                                        • Part of subcall function 004063DB: lstrcpynW.KERNEL32(?,?,00000400,00403560,00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 004063E8
                                                                        • Part of subcall function 00405443: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00000000,0360FDB4,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
                                                                        • Part of subcall function 00405443: lstrlenW.KERNEL32(00403385,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00000000,0360FDB4,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
                                                                        • Part of subcall function 00405443: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00403385), ref: 0040549E
                                                                        • Part of subcall function 00405443: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\), ref: 004054B0
                                                                        • Part of subcall function 00405443: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
                                                                        • Part of subcall function 00405443: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
                                                                        • Part of subcall function 00405443: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                      • String ID: "C:\Program Files\douwan\DouWan.exe"$C:\Program Files\douwan$State
                                                                      • API String ID: 1941528284-3557811920
                                                                      • Opcode ID: a285b5ef9a8d0e27ec373fd262653c080dac0f947244e1a28f58563a5fffe514
                                                                      • Instruction ID: 099db37703b38b7faa9c4b3761aa4ffcdc8a6de3d1088dc1ecc91c4b2867a8b7
                                                                      • Opcode Fuzzy Hash: a285b5ef9a8d0e27ec373fd262653c080dac0f947244e1a28f58563a5fffe514
                                                                      • Instruction Fuzzy Hash: BB41C171500118BACB10BFA5DC85DAE7A79EF41328F20423FF822B10E1C77C8A519A6E
                                                                      Function 00405443 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 774 405443-405458 775 40545e-40546f 774->775 776 40550f-405513 774->776 777 405471-405475 call 406418 775->777 778 40547a-405486 lstrlenW 775->778 777->778 779 4054a3-4054a7 778->779 780 405488-405498 lstrlenW 778->780 783 4054b6-4054ba 779->783 784 4054a9-4054b0 SetWindowTextW 779->784 780->776 782 40549a-40549e lstrcatW 780->782 782->779 785 405500-405502 783->785 786 4054bc-4054fe SendMessageW * 3 783->786 784->783 785->776 787 405504-405507 785->787 786->785 787->776
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00000000,0360FDB4,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
                                                                      • lstrlenW.KERNEL32(00403385,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00000000,0360FDB4,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
                                                                      • lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00403385), ref: 0040549E
                                                                      • SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\), ref: 004054B0
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
                                                                      • SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                      • String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\
                                                                      • API String ID: 2531174081-566931127
                                                                      • Opcode ID: bea2b5a7135099c68aadf7c6861b5a1d546924ebcd1bbda38a4905401ce86b05
                                                                      • Instruction ID: 73e5e0af396a9b9ac9a9b02969ae59ee3043c4a39b1bd1f3be19a3319d016d01
                                                                      • Opcode Fuzzy Hash: bea2b5a7135099c68aadf7c6861b5a1d546924ebcd1bbda38a4905401ce86b05
                                                                      • Instruction Fuzzy Hash: 14219D71900518BACB219F56DD44ACFBF79EF44350F10803AF904B62A0C7798A91DFA8
                                                                      Function 00405912 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 788 405912-40595d CreateDirectoryW 789 405963-405970 GetLastError 788->789 790 40595f-405961 788->790 791 40598a-40598c 789->791 792 405972-405986 SetFileSecurityW 789->792 790->791 792->790 793 405988 GetLastError 792->793 793->791
                                                                      APIs
                                                                      • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405955
                                                                      • GetLastError.KERNEL32 ref: 00405969
                                                                      • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040597E
                                                                      • GetLastError.KERNEL32 ref: 00405988
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405938
                                                                      • C:\Users\user\Desktop, xrefs: 00405912
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                      • API String ID: 3449924974-2028306314
                                                                      • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                      • Instruction ID: dda0a131242ff184f2ccb02743bd446f17612fd9a9d8f3d2581d745ec2ea809b
                                                                      • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                      • Instruction Fuzzy Hash: 010108B1C00219EADF009BA0C944BEFBBB4EB04364F00803AD945B6180D77996488FA9
                                                                      Function 00406760 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 794 406760-406780 GetSystemDirectoryW 795 406782 794->795 796 406784-406786 794->796 795->796 797 406797-406799 796->797 798 406788-406791 796->798 800 40679a-4067cd wsprintfW LoadLibraryExW 797->800 798->797 799 406793-406795 798->799 799->800
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406777
                                                                      • wsprintfW.USER32 ref: 004067B2
                                                                      • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067C6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                      • String ID: %s%S.dll$UXTHEME$\
                                                                      • API String ID: 2200240437-1946221925
                                                                      • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                      • Instruction ID: 9186df788a023ca5baadb024e2a35ee1fdde68eb784542ec1ecc189bc894a2fc
                                                                      • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                      • Instruction Fuzzy Hash: 7EF0F670510119ABCB14AF64DD0DF9B37ACAB00309F10047AA646F20D0EB7CAA68CBA8
                                                                      Function 00402947 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
                                                                      • GlobalAlloc.KERNELBASE(00000040,?,00000000,?), ref: 004029B7
                                                                      • GlobalFree.KERNEL32(?), ref: 004029F0
                                                                      • GlobalFree.KERNELBASE(00000000), ref: 00402A03
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
                                                                      • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                      • String ID:
                                                                      • API String ID: 2667972263-0
                                                                      • Opcode ID: 9585b057aeace9f05765ec40a1819513c98b1cabd0044d2486b3c8cea51100c8
                                                                      • Instruction ID: ed14628ef15dceb457173a83ab12e15034626edc11f01d0ebe9f464a1ada349c
                                                                      • Opcode Fuzzy Hash: 9585b057aeace9f05765ec40a1819513c98b1cabd0044d2486b3c8cea51100c8
                                                                      • Instruction Fuzzy Hash: A821C171800128BBCF216FA5DE49D9F7E79EF05364F20023AF564762E1CB794D419BA8
                                                                      Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 836 40324c-403263 837 403265 836->837 838 40326c-403274 836->838 837->838 839 403276 838->839 840 40327b-403280 838->840 839->840 841 403290-40329d call 403431 840->841 842 403282-40328b call 403447 840->842 846 4032a3-4032a7 841->846 847 4033e8 841->847 842->841 848 4033d1-4033d3 846->848 849 4032ad-4032cd GetTickCount call 40692b 846->849 850 4033ea-4033eb 847->850 851 4033d5-4033d8 848->851 852 40341c-403420 848->852 860 403427 849->860 862 4032d3-4032db 849->862 854 40342a-40342e 850->854 855 4033da 851->855 856 4033dd-4033e6 call 403431 851->856 857 403422 852->857 858 4033ed-4033f3 852->858 855->856 856->847 870 403424 856->870 857->860 863 4033f5 858->863 864 4033f8-403406 call 403431 858->864 860->854 866 4032e0-4032ee call 403431 862->866 867 4032dd 862->867 863->864 864->847 872 403408-40340d call 405f83 864->872 866->847 875 4032f4-4032fd 866->875 867->866 870->860 876 403412-403414 872->876 877 403303-403320 call 40694b 875->877 878 403416-403419 876->878 879 4033cd-4033cf 876->879 882 403326-40333d GetTickCount 877->882 883 4033c9-4033cb 877->883 878->852 879->850 884 403388-40338a 882->884 885 40333f-403347 882->885 883->850 888 40338c-403390 884->888 889 4033bd-4033c1 884->889 886 403349-40334d 885->886 887 40334f-403380 MulDiv wsprintfW call 405443 885->887 886->884 886->887 894 403385 887->894 892 403392-403397 call 405f83 888->892 893 4033a5-4033ab 888->893 889->862 890 4033c7 889->890 890->860 897 40339c-40339e 892->897 896 4033b1-4033b5 893->896 894->884 896->877 898 4033bb 896->898 897->879 899 4033a0-4033a3 897->899 898->860 899->896
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CountTick$wsprintf
                                                                      • String ID: ... %d%%
                                                                      • API String ID: 551687249-2449383134
                                                                      • Opcode ID: a52c8327a9bee33ac52521f57f2e9f4dbf915842efb05752905a13b6f3c483fb
                                                                      • Instruction ID: 0c386ab0f0708696bc676c49e8997792277d61a4d185bd6037e20a9e3331648f
                                                                      • Opcode Fuzzy Hash: a52c8327a9bee33ac52521f57f2e9f4dbf915842efb05752905a13b6f3c483fb
                                                                      • Instruction Fuzzy Hash: 7E516D71900219EBCB10DF65D984B9F3FA8AB00766F14417BFC10B72C1DB789E508BA9
                                                                      Function 00405F00 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTickCount.KERNEL32 ref: 00405F1E
                                                                      • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe",0040348D,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9), ref: 00405F39
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F05
                                                                      • "C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe", xrefs: 00405F00
                                                                      • nsa, xrefs: 00405F0D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CountFileNameTempTick
                                                                      • String ID: "C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                      • API String ID: 1716503409-2485708141
                                                                      • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                      • Instruction ID: 92234304539bf7ece852ec87847853e593a29ed380df2f8ac1d63cab01e19b90
                                                                      • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                      • Instruction Fuzzy Hash: 9DF09076B00204BBEB00CF59ED09E9FB7ACEB95750F11803AEA44F7140E6B499548B68
                                                                      Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                                      • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Timeout
                                                                      • String ID: !
                                                                      • API String ID: 1777923405-2657877971
                                                                      • Opcode ID: 85a27d883e9730f87e0fcbf2f18326d15f90d0f3bc73a62618d738046c98a18f
                                                                      • Instruction ID: dd4700ba4ce2c01fdcac70281bc34cd4026078c78447772ebe71ed50cab348e7
                                                                      • Opcode Fuzzy Hash: 85a27d883e9730f87e0fcbf2f18326d15f90d0f3bc73a62618d738046c98a18f
                                                                      • Instruction Fuzzy Hash: 3C21AD7195420AAEEF05AFB4D94AAAE7BB0EF44304F10453EF601B61D1D7B84941CBA8
                                                                      Function 00404BDE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404C7F
                                                                      • wsprintfW.USER32 ref: 00404C88
                                                                      • SetDlgItemTextW.USER32(?,00423708), ref: 00404C9B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: ItemTextlstrlenwsprintf
                                                                      • String ID: %u.%u%s%s
                                                                      • API String ID: 3540041739-3551169577
                                                                      • Opcode ID: 9a3c97ce391140f918be95dce8dfe3294aadcea186652c037715b03b85f4b34a
                                                                      • Instruction ID: 7c0a82a5d8c5e130c70e624adf1be80dcdc0ad06cf4f4d66f209f919317c7709
                                                                      • Opcode Fuzzy Hash: 9a3c97ce391140f918be95dce8dfe3294aadcea186652c037715b03b85f4b34a
                                                                      • Instruction Fuzzy Hash: 9B11D5736041283BEB00666D9C45EDE3298DBC5334F264237FA26F61D1E978CC2286E8
                                                                      Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00405D5B: CharNextW.USER32(?,?,00425F10,?,00405DCF,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D69
                                                                        • Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D6E
                                                                        • Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D86
                                                                      • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                        • Part of subcall function 00405912: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405955
                                                                      • SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files\douwan,?,00000000,000000F0), ref: 0040164D
                                                                      Strings
                                                                      • C:\Program Files\douwan, xrefs: 00401640
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                      • String ID: C:\Program Files\douwan
                                                                      • API String ID: 1892508949-869346558
                                                                      • Opcode ID: 0a8316340f92e831056d46a796daf77011545e4f9da01359f8b8fa5e627cb0d4
                                                                      • Instruction ID: 4b740b80641ba3a3eb8a8ec9adfde8f0bc1f07408697dd7e04d4643b588e1c06
                                                                      • Opcode Fuzzy Hash: 0a8316340f92e831056d46a796daf77011545e4f9da01359f8b8fa5e627cb0d4
                                                                      • Instruction Fuzzy Hash: 1411E231504114EBCF206FA5CD4199F37B0EF24328B28493BE912B12F1D63E49829B6E
                                                                      Function 00405DB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 004063DB: lstrcpynW.KERNEL32(?,?,00000400,00403560,00429220,NSIS Error,?,00000007,00000009,0000000B), ref: 004063E8
                                                                        • Part of subcall function 00405D5B: CharNextW.USER32(?,?,00425F10,?,00405DCF,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D69
                                                                        • Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D6E
                                                                        • Part of subcall function 00405D5B: CharNextW.USER32(00000000), ref: 00405D86
                                                                      • lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E11
                                                                      • GetFileAttributesW.KERNELBASE(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405B0D,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405E21
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DB8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 3248276644-3081826266
                                                                      • Opcode ID: f78802c74069857e26c972368cced64b80d0155069d2bb9ab6be860a9edbe6e7
                                                                      • Instruction ID: 2671ab18330f60560c3719f84a1496f0714d5bb9fce48f62cd6cce0e1185a57b
                                                                      • Opcode Fuzzy Hash: f78802c74069857e26c972368cced64b80d0155069d2bb9ab6be860a9edbe6e7
                                                                      • Instruction Fuzzy Hash: FAF0F935108E6156D621333A6D0D6AF2504CE82364756853FFC52B12D5DF3C89539DBE
                                                                      Function 004062A9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Remove folder: ,?,?,00406538,80000002), ref: 004062EF
                                                                      • RegCloseKey.KERNELBASE(?,?,00406538,80000002,Software\Microsoft\Windows\CurrentVersion,Remove folder: ,Remove folder: ,Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\), ref: 004062FA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CloseQueryValue
                                                                      • String ID: Remove folder:
                                                                      • API String ID: 3356406503-1958208860
                                                                      • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                      • Instruction ID: ae085d710551058a7f2532bbeea434883cb59e3c9f2bcee9d1549068d4bd9198
                                                                      • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                      • Instruction Fuzzy Hash: B9015A72500209EADF218F51CC09EDB3BA8EF95364F01803AFD1AA6190D738D968DFA4
                                                                      Function 004059C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,Error launching installer), ref: 004059ED
                                                                      • CloseHandle.KERNEL32(?), ref: 004059FA
                                                                      Strings
                                                                      • Error launching installer, xrefs: 004059D7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateHandleProcess
                                                                      • String ID: Error launching installer
                                                                      • API String ID: 3712363035-66219284
                                                                      • Opcode ID: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                                                      • Instruction ID: 20697c874bd4b9c747bb4d9041eb299060a3c9f0112610a55a8a246a05e7abf4
                                                                      • Opcode Fuzzy Hash: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
                                                                      • Instruction Fuzzy Hash: 7DE0BFB46002097FEB109B64ED45F7B77ACEB04708F414966BD50F6150DB7499158E7C
                                                                      Function 00403A15 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FreeLibrary.KERNELBASE(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,004039ED,00403803,00000007,?,00000007,00000009,0000000B), ref: 00403A2F
                                                                      • GlobalFree.KERNEL32(?), ref: 00403A36
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A15
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Free$GlobalLibrary
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 1100898210-3081826266
                                                                      • Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                                                      • Instruction ID: e31a7033e06264a748858091d27326a34299cb79b9d6c3cb96cb008d14d5ef43
                                                                      • Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
                                                                      • Instruction Fuzzy Hash: 53E0EC36A511205BC7219F45AA0875E7BADAF58B22F05012AE8857B27087745C824F98
                                                                      Function 00406F2F Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: de1cc7ed33cb2a5f92ceea0e0b8826ef96c457053bcc9743bcab908c31a2c9eb
                                                                      • Instruction ID: 32e2ab4cb65e7230aeff806a84dbae4d22e6cbaaf638251473bf6dacb733d759
                                                                      • Opcode Fuzzy Hash: de1cc7ed33cb2a5f92ceea0e0b8826ef96c457053bcc9743bcab908c31a2c9eb
                                                                      • Instruction Fuzzy Hash: 29A13231E04229CBDF28CFA8C8546ADBBB1FF45305F14806ED856BB281D7786A86DF45
                                                                      Function 00407130 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 28c06f0f4c89ef22b384ceac7e4294a2f4c1bbf82e27332dac04b45cf64da018
                                                                      • Instruction ID: e827159e3c0f30117cfd40fb8871c1536360b3329485a12100fd3651e411c43c
                                                                      • Opcode Fuzzy Hash: 28c06f0f4c89ef22b384ceac7e4294a2f4c1bbf82e27332dac04b45cf64da018
                                                                      • Instruction Fuzzy Hash: A4912230E04228CBDF28CFA8C854BADBBB1FB45305F14816ED852BB281C7786986DF45
                                                                      Function 00406E46 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 181c382312786495426148394ea48e56d5a70372e8d229e03138d7b713aa5dd8
                                                                      • Instruction ID: e886ca087a0a39174fbb15e481659c292d22b9db4249bf85fd90a7a13df170d2
                                                                      • Opcode Fuzzy Hash: 181c382312786495426148394ea48e56d5a70372e8d229e03138d7b713aa5dd8
                                                                      • Instruction Fuzzy Hash: 99813671E04228CFDF24CFA8C8447ADBBB1FB45305F24816AD856BB291C7785986DF45
                                                                      Function 0040694B Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 482a787b1e93187f303b5cf3d5fad6fe7b39919471561c5747e88453b07a974d
                                                                      • Instruction ID: 102eaf4500afa36507883bc49c2e43cf6988b9622fad8f3b05d2dee193d28093
                                                                      • Opcode Fuzzy Hash: 482a787b1e93187f303b5cf3d5fad6fe7b39919471561c5747e88453b07a974d
                                                                      • Instruction Fuzzy Hash: 59814631E04228DBEB24CFA8C8447ADBBB1FB45305F24816AD856BB2C1D7786986DF45
                                                                      Function 00406D99 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9f1c290fb996461610dc05284254ea561df87b77a02dec37c2f17ec044b843f5
                                                                      • Instruction ID: a08c2ff1229a9d9811f570562685937cd52cd07e2c0e62d18be643d670bbfbbc
                                                                      • Opcode Fuzzy Hash: 9f1c290fb996461610dc05284254ea561df87b77a02dec37c2f17ec044b843f5
                                                                      • Instruction Fuzzy Hash: B2712471E04228CFDF24CFA8C894BADBBB1FB45305F14806AD846BB281D7386996DF45
                                                                      Function 00406EB7 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 94b25f7611fe17d8713c058a6f17e47c27a0001acd6cd4792c255928ec9836d2
                                                                      • Instruction ID: 79a44bce1fc769ef2bff189c36481e04bceb851a7a33cd9c662bfef797063258
                                                                      • Opcode Fuzzy Hash: 94b25f7611fe17d8713c058a6f17e47c27a0001acd6cd4792c255928ec9836d2
                                                                      • Instruction Fuzzy Hash: 16713571E04218CFDF28CFA8C854BADBBB1FB45305F14806AD856BB281C7786996DF45
                                                                      Function 00406E03 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0815afd74f654c503a0d6cbf149fd97df88f382804d918d52621f4cf167551eb
                                                                      • Instruction ID: e69ca442741bc9d68f02c0d51ce09155c0cc214200520a71f8620544c8c92ec3
                                                                      • Opcode Fuzzy Hash: 0815afd74f654c503a0d6cbf149fd97df88f382804d918d52621f4cf167551eb
                                                                      • Instruction Fuzzy Hash: 78713731E04229CFEF24CF98C854BADBBB1FB45305F14806AD856BB281C7786996DF45
                                                                      Function 004020D0 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 004020FB
                                                                        • Part of subcall function 00405443: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00000000,0360FDB4,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
                                                                        • Part of subcall function 00405443: lstrlenW.KERNEL32(00403385,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00000000,0360FDB4,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
                                                                        • Part of subcall function 00405443: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00403385), ref: 0040549E
                                                                        • Part of subcall function 00405443: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\), ref: 004054B0
                                                                        • Part of subcall function 00405443: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
                                                                        • Part of subcall function 00405443: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
                                                                        • Part of subcall function 00405443: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE
                                                                      • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040210C
                                                                      • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402189
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                      • String ID:
                                                                      • API String ID: 334405425-0
                                                                      • Opcode ID: 3fdbe18e2112064b0b2a9084d64d0bdc259e22eb5b579a0d538470750448287f
                                                                      • Instruction ID: cd994d89a020c92b9959873617b7f6e70dfe1d5d911cfc63d75f2132deb71e9d
                                                                      • Opcode Fuzzy Hash: 3fdbe18e2112064b0b2a9084d64d0bdc259e22eb5b579a0d538470750448287f
                                                                      • Instruction Fuzzy Hash: F9219931600114EBCF10AFA5CE4999E7A71AF54358F70413BF515B91E0C7BD8E829A2D
                                                                      Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GlobalFree.KERNEL32(006181C0), ref: 00401C0B
                                                                      • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Global$AllocFree
                                                                      • String ID: "C:\Program Files\douwan\DouWan.exe"
                                                                      • API String ID: 3394109436-373846268
                                                                      • Opcode ID: a70d9aec349b283a19940f4ef66a7f1a802300b1214fe39211b59cb12b6f8bb9
                                                                      • Instruction ID: 8eac660807c21ed12e13958da8917723c714091cd548f80009266c163e09adae
                                                                      • Opcode Fuzzy Hash: a70d9aec349b283a19940f4ef66a7f1a802300b1214fe39211b59cb12b6f8bb9
                                                                      • Instruction Fuzzy Hash: 88219673604114DBD720AF94DDC4A5E73B4AB14324725453BF952F72D1C6BCAC418BAD
                                                                      Function 00402482 Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(0040B5C8,00000023,00000011,00000002), ref: 004024CD
                                                                      • RegSetValueExW.KERNELBASE(?,?,?,?,0040B5C8,00000000,00000011,00000002), ref: 0040250D
                                                                      • RegCloseKey.ADVAPI32(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 004025F5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CloseValuelstrlen
                                                                      • String ID:
                                                                      • API String ID: 2655323295-0
                                                                      • Opcode ID: 510794092fa46b6a7e72b80ff98f3e1f34b533d86a1fe30529831a7578417267
                                                                      • Instruction ID: 5961cf0302e183f44fe6dca2e080a575d9ce570cefe28a5469520932bfc38106
                                                                      • Opcode Fuzzy Hash: 510794092fa46b6a7e72b80ff98f3e1f34b533d86a1fe30529831a7578417267
                                                                      • Instruction Fuzzy Hash: D711AF71E00108BEDB10AFA5DE49AAE7BB9EF44314F21443AF504B71D1D6B88D419668
                                                                      Function 00405AA5 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00405EAC: GetFileAttributesW.KERNELBASE(?,?,00405AB1,?,?,00000000,00405C87,?,?,?,?), ref: 00405EB1
                                                                        • Part of subcall function 00405EAC: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405EC5
                                                                      • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405C87), ref: 00405AC0
                                                                      • DeleteFileW.KERNELBASE(?,?,?,00000000,00405C87), ref: 00405AC8
                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405AE0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: File$Attributes$DeleteDirectoryRemove
                                                                      • String ID:
                                                                      • API String ID: 1655745494-0
                                                                      • Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                                                      • Instruction ID: 089657deecf7ebca36da49b4a7b1d127a0455400517fe467cc367adc33a0ca45
                                                                      • Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                                                      • Instruction Fuzzy Hash: BAE03031319E9156C71167349D48B5B29E8EFD6315F150A3AF491B21D0C77C48068E69
                                                                      Function 0040687B Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WaitForSingleObject.KERNEL32(?,00000064), ref: 0040688C
                                                                      • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004068A1
                                                                      • GetExitCodeProcess.KERNELBASE(?,?), ref: 004068AE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: ObjectSingleWait$CodeExitProcess
                                                                      • String ID:
                                                                      • API String ID: 2567322000-0
                                                                      • Opcode ID: 43b4355e24816a7ad7f968a018a337995dd09ca4016bdbbfd5a9f17726beb16e
                                                                      • Instruction ID: 449920ab3f72c3dfc95b6517ca2509daec1a1628d624f4887b74fb8a1e473b91
                                                                      • Opcode Fuzzy Hash: 43b4355e24816a7ad7f968a018a337995dd09ca4016bdbbfd5a9f17726beb16e
                                                                      • Instruction Fuzzy Hash: 1CE0D832600508FBEB01AF54ED05E9E7F6EDB44700F114133FA01B6190C7B69E21DBA4
                                                                      Function 0040430A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000408,?,00000000,00403F66), ref: 00404328
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: x
                                                                      • API String ID: 3850602802-2363233923
                                                                      • Opcode ID: a76c2eed5e6c4a48a71d4bb01233dabb890d94c1a43f0b8c688eef3a32eb520d
                                                                      • Instruction ID: ecc1973ea6b3ff136f363d52418b38e05d917e404249dab502fcfdfbb77efee0
                                                                      • Opcode Fuzzy Hash: a76c2eed5e6c4a48a71d4bb01233dabb890d94c1a43f0b8c688eef3a32eb520d
                                                                      • Instruction Fuzzy Hash: 91C01272240202EBDB214B00EE04F167A30B7A4702F24C439FB81200B0CA318822DB1D
                                                                      Function 00402522 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402553
                                                                      • RegCloseKey.ADVAPI32(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 004025F5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CloseQueryValue
                                                                      • String ID:
                                                                      • API String ID: 3356406503-0
                                                                      • Opcode ID: 3d6c9ccb16a49f2bb67b9b3bea26724daa8a174f71ddb6cc528efbb602942d13
                                                                      • Instruction ID: 5cbb6f6618fb34015a42ffc449654bf6e6d7e06808bec770fc6a476f8cdcdd49
                                                                      • Opcode Fuzzy Hash: 3d6c9ccb16a49f2bb67b9b3bea26724daa8a174f71ddb6cc528efbb602942d13
                                                                      • Instruction Fuzzy Hash: AA113D71910209EBDF14DFA4DE589AE7774FF04354B20453BE402B62D0D7B84A45DB5E
                                                                      Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                      • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 63a2f56983bf68ef82dee2aa6a19202fa350abc755d43e3a7d8789ab9979b1a1
                                                                      • Instruction ID: 7386925216f0ba2205b30ed829fcd6135741b8aa1a9a6a78a8dcdd66e79b8f9a
                                                                      • Opcode Fuzzy Hash: 63a2f56983bf68ef82dee2aa6a19202fa350abc755d43e3a7d8789ab9979b1a1
                                                                      • Instruction Fuzzy Hash: 1001F431724220EBEB194B389D09B2A3698E710318F10867FF855F66F1E678CC169B5D
                                                                      Function 00405516 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OleInitialize.OLE32(00000000), ref: 00405526
                                                                        • Part of subcall function 0040437D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040438F
                                                                      • OleUninitialize.OLE32(00000404,00000000), ref: 00405572
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: InitializeMessageSendUninitialize
                                                                      • String ID:
                                                                      • API String ID: 2896919175-0
                                                                      • Opcode ID: fc63040b4a478ac2ab6d1649a7b90cddf110423f46346301a32b5f76a47a80a4
                                                                      • Instruction ID: b1ddeeb25ba2a19929e7f2dc44f7fc61fd81dae06891ad5aaf8f1c5fa63b9bde
                                                                      • Opcode Fuzzy Hash: fc63040b4a478ac2ab6d1649a7b90cddf110423f46346301a32b5f76a47a80a4
                                                                      • Instruction Fuzzy Hash: 8AF0F076600600EBD3215B64AC01B1673A2EF90348F59407AEF84A33F4C77648028B6E
                                                                      Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(00000000,00000000), ref: 00401EFC
                                                                      • EnableWindow.USER32(00000000,00000000), ref: 00401F07
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Window$EnableShow
                                                                      • String ID:
                                                                      • API String ID: 1136574915-0
                                                                      • Opcode ID: 160cf1c66850f4bed6f66cfa63f2570c3352e267f1b5ac0914f4f272acffcfde
                                                                      • Instruction ID: 0770d74e77a1de07b8bd233185459685766243133281c20ed0e2d1775c5ce133
                                                                      • Opcode Fuzzy Hash: 160cf1c66850f4bed6f66cfa63f2570c3352e267f1b5ac0914f4f272acffcfde
                                                                      • Instruction Fuzzy Hash: 96E09A32A04200DFD704EFA4AE484AEB3B4FF90325B20097FE401F21D1CBB95C00862E
                                                                      Function 004067D0 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleA.KERNEL32(?,00000020,?,00403501,0000000B), ref: 004067E2
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 004067FD
                                                                        • Part of subcall function 00406760: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406777
                                                                        • Part of subcall function 00406760: wsprintfW.USER32 ref: 004067B2
                                                                        • Part of subcall function 00406760: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004067C6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2547128583-0
                                                                      • Opcode ID: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
                                                                      • Instruction ID: 7df567e52fbdf149b69dac354ceafd4fa41e0472f673109ceae729e6c8d6a9a9
                                                                      • Opcode Fuzzy Hash: 6f78d3fdf53352f122fdb8e7e1f438bdfac4fae158339a91a146711bf240c1a4
                                                                      • Instruction Fuzzy Hash: 26E0863390421096E211A7709F88C7773A8AF89644307483EF946F2080EB38DC31A679
                                                                      Function 00402B9D Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000000B,00000001), ref: 00402BAC
                                                                      • InvalidateRect.USER32(?), ref: 00402BBC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: InvalidateMessageRectSend
                                                                      • String ID:
                                                                      • API String ID: 909852535-0
                                                                      • Opcode ID: 2a0676ae90be67f4e45ef9be878a8b6c141c9e3d64a720bfd58ed6d5f87cbda7
                                                                      • Instruction ID: aef1bb2e3d2f08e15a3680b8984c825ff2ba3937951cc9e1bef0c5d416dad4ff
                                                                      • Opcode Fuzzy Hash: 2a0676ae90be67f4e45ef9be878a8b6c141c9e3d64a720bfd58ed6d5f87cbda7
                                                                      • Instruction Fuzzy Hash: 9AE08C72710408FFDB10CFA4ED84DAEB7B9FB40315F00407AFA02A00A0D7300C51CA28
                                                                      Function 00405ED1 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405ED5
                                                                      • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405EF7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: File$AttributesCreate
                                                                      • String ID:
                                                                      • API String ID: 415043291-0
                                                                      • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                      • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                                                      • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                      • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                                                      Function 00405EAC Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(?,?,00405AB1,?,?,00000000,00405C87,?,?,?,?), ref: 00405EB1
                                                                      • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405EC5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: AttributesFile
                                                                      • String ID:
                                                                      • API String ID: 3188754299-0
                                                                      • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                      • Instruction ID: 60f8d920560889598159a3dbe09e4bd556728e0d1be390bcc4c147b032138fe0
                                                                      • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                      • Instruction Fuzzy Hash: 11D0C9725045306BC2102728EE0889BBF65EB682717014A35F9A5A22B0CB304C538A98
                                                                      Function 004039D0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNEL32(FFFFFFFF,00403803,00000007,?,00000007,00000009,0000000B), ref: 004039DB
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\, xrefs: 004039EF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\
                                                                      • API String ID: 2962429428-2152897815
                                                                      • Opcode ID: 2eea29b1c240aa15bf74eed4a1ee934a769aeb744fc6ac634b902212ffb24aa0
                                                                      • Instruction ID: 70f88dc131aa1d5ad8f1f5eecea89e4a5cf59f90b67a815282bc2dee41357e4d
                                                                      • Opcode Fuzzy Hash: 2eea29b1c240aa15bf74eed4a1ee934a769aeb744fc6ac634b902212ffb24aa0
                                                                      • Instruction Fuzzy Hash: 63C0127064470056C5646F749E4F6063A546B8173AB60032AF0F8F00F1DB7C5A5D495D
                                                                      Function 0040598F Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateDirectoryW.KERNELBASE(?,00000000,00403482,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00405995
                                                                      • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectoryErrorLast
                                                                      • String ID:
                                                                      • API String ID: 1375471231-0
                                                                      • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                      • Instruction ID: b8aeb4fbbaa0c149d17919ad16f2792b2b84c079cfd5907120def0498e2ab647
                                                                      • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                      • Instruction Fuzzy Hash: 6DC04CB1244501EED6105B209F08B1B7A90EB50791F1688396146E01A0DA3C8455D97E
                                                                      Function 004023AA Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: PrivateProfileStringWrite
                                                                      • String ID:
                                                                      • API String ID: 390214022-0
                                                                      • Opcode ID: 84911039e741b8054182bf8c56606a22799472c4c6cd86ceafd7de9864a58810
                                                                      • Instruction ID: 2036f094aef4cf8fcdd3ce51ebd23e93268b82f075a1b79732874c3119e34eec
                                                                      • Opcode Fuzzy Hash: 84911039e741b8054182bf8c56606a22799472c4c6cd86ceafd7de9864a58810
                                                                      • Instruction Fuzzy Hash: 30E086319001246ADB303AF15E8DEBF21586F44345B14093FFA12B62C2DAFC0C42467D
                                                                      Function 00406276 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402DEF,00000000,?,?), ref: 0040629F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Create
                                                                      • String ID:
                                                                      • API String ID: 2289755597-0
                                                                      • Opcode ID: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
                                                                      • Instruction ID: 5e8c37c3a871b4686c003d5622fbd1f004467430ef2d1147db4d8909a4c30713
                                                                      • Opcode Fuzzy Hash: 33f0ef72135594440bd39ae1090de480165a05d63dfabbbeebd316e266d8c237
                                                                      • Instruction Fuzzy Hash: 6EE0E67201010DBFEF095F50EC0AE7B371DEB04310F01452EF916E4051E6B5A9309634
                                                                      Function 00405F54 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403444,00000000,00000000,0040329B,?,00000004,00000000,00000000,00000000), ref: 00405F68
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: FileRead
                                                                      • String ID:
                                                                      • API String ID: 2738559852-0
                                                                      • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                      • Instruction ID: 9c26e1e14bdaa641b2cd1607f69676223ac96f38baf9ffa7ddee8aaf7cdc77b6
                                                                      • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                      • Instruction Fuzzy Hash: 0DE0EC3221025EABDF10AEA59C04EEB7B6CEB053A0F004877FD25E7150D735E9219BA8
                                                                      Function 00405F83 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,00403412,000000FF,00414EC0,00000000,00414EC0,00000000,?,00000004,00000000), ref: 00405F97
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite
                                                                      • String ID:
                                                                      • API String ID: 3934441357-0
                                                                      • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                      • Instruction ID: e9dec13cd64576ed05e9c77268ddc280887ed2a39adbcd5729fa6c11973cde1c
                                                                      • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                      • Instruction Fuzzy Hash: B8E0EC7221065AABDF109E659C00BEB7B6CEB05360F004476FE65E3150E639E9219BA5
                                                                      Function 004023EC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040241D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: PrivateProfileString
                                                                      • String ID:
                                                                      • API String ID: 1096422788-0
                                                                      • Opcode ID: f55628d4b7fc1c3702899dee1337003f381c7036a296fbc4314416ebe8ce5134
                                                                      • Instruction ID: 84a3be15b77accaad8f92e5f77cb7225a0a8ac318d6267ea73d07213f2db240d
                                                                      • Opcode Fuzzy Hash: f55628d4b7fc1c3702899dee1337003f381c7036a296fbc4314416ebe8ce5134
                                                                      • Instruction Fuzzy Hash: D3E04F30800219AADB00AFA0CE09EAE3769BF00300F10093AF520BB0D1E7FC89409749
                                                                      Function 00406248 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,004062D6,?,00000000,?,?,Remove folder: ,?), ref: 0040626C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Open
                                                                      • String ID:
                                                                      • API String ID: 71445658-0
                                                                      • Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                                                      • Instruction ID: bea724714cad9c1dc166f779914bff17c7130a41f5efdae6cf1778ebc3f0871c
                                                                      • Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
                                                                      • Instruction Fuzzy Hash: AFD0123210020DFBDF116FA0ED01FAB772DAB08350F014426FE06A40A1D775D530A768
                                                                      Function 00404331 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetDlgItemTextW.USER32(?,?,00000000), ref: 0040434B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: ItemText
                                                                      • String ID:
                                                                      • API String ID: 3367045223-0
                                                                      • Opcode ID: d59f189158eb67bb996e187d982802e8f504496512836e9ede5ce7bb870841c8
                                                                      • Instruction ID: e8f55bf8aef19373ab3d34315b6d4f5936da0fc292fed2acb72333d53f6f1392
                                                                      • Opcode Fuzzy Hash: d59f189158eb67bb996e187d982802e8f504496512836e9ede5ce7bb870841c8
                                                                      • Instruction Fuzzy Hash: 64C04C75148640BFD641B755DC42F1FB799EFE4316F00C52EB15DE51E2C63988209E3A
                                                                      Function 0040437D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040438F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
                                                                      • Instruction ID: 6a5b654620e47c205ef353ff56fd69433b0ebd381e98485a923522fb35466dbd
                                                                      • Opcode Fuzzy Hash: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
                                                                      • Instruction Fuzzy Hash: A8C09BB1740705BBEE218F519D4DF1777586750700F294479B755F60D0D674D850D61C
                                                                      Function 00403447 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 00403455
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: FilePointer
                                                                      • String ID:
                                                                      • API String ID: 973152223-0
                                                                      • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                      • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                                      • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                      • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                                      Function 00404366 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000028,?,00000001,00404191), ref: 00404374
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
                                                                      • Instruction ID: a70792fcf8e9dbddb4bc54a752e2f47ec30058e0f009e109d264f56951a5bac9
                                                                      • Opcode Fuzzy Hash: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
                                                                      • Instruction Fuzzy Hash: 28B09236281A00EBDE614B00EE09F457A62A768701F008468B641240B0CAB240A5DB19
                                                                      Function 00404353 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,0040412A), ref: 0040435D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
                                                                      • Instruction ID: c8b2e0b7737fb6f3a2012ed53d18a955e8c044ab00f5fdb14f1eccf879f4c073
                                                                      • Opcode Fuzzy Hash: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
                                                                      • Instruction Fuzzy Hash: 6FA001B6604500ABDE129FA1EF09D0ABF72EBA4702B418579E28590034CB364961EF1D
                                                                      Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00405443: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00000000,0360FDB4,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000,?), ref: 0040547B
                                                                        • Part of subcall function 00405443: lstrlenW.KERNEL32(00403385,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00000000,0360FDB4,004031E6,?,?,?,?,?,?,?,?,?,00403385,00000000), ref: 0040548B
                                                                        • Part of subcall function 00405443: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,00403385), ref: 0040549E
                                                                        • Part of subcall function 00405443: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsaFD81.tmp\), ref: 004054B0
                                                                        • Part of subcall function 00405443: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054D6
                                                                        • Part of subcall function 00405443: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054F0
                                                                        • Part of subcall function 00405443: SendMessageW.USER32(?,00001013,?,00000000), ref: 004054FE
                                                                        • Part of subcall function 004059C4: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,Error launching installer), ref: 004059ED
                                                                        • Part of subcall function 004059C4: CloseHandle.KERNEL32(?), ref: 004059FA
                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                                                                        • Part of subcall function 0040687B: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040688C
                                                                        • Part of subcall function 0040687B: GetExitCodeProcess.KERNELBASE(?,?), ref: 004068AE
                                                                        • Part of subcall function 00406322: wsprintfW.USER32 ref: 0040632F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                      • String ID:
                                                                      • API String ID: 2972824698-0
                                                                      • Opcode ID: 36bbc448c2e1a50f4ab6c5398b5b1135b0538debe0fbb6ebe4e29063cb96ff4a
                                                                      • Instruction ID: 4d96ac15eb21dec6eadeffd875f927664214cc5c784fe1dba304e89e249c00b1
                                                                      • Opcode Fuzzy Hash: 36bbc448c2e1a50f4ab6c5398b5b1135b0538debe0fbb6ebe4e29063cb96ff4a
                                                                      • Instruction Fuzzy Hash: 2CF09072A05112DBCB20EFA699849EE76F4EF00319B21453BE512B21D0C3BC4E428A6E

                                                                      Non-executed Functions

                                                                      Function 00402902 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402911
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: FileFindFirst
                                                                      • String ID:
                                                                      • API String ID: 1974802433-0
                                                                      • Opcode ID: 3a3c8e021aac443e7d1b39a8b6dfaba58084c306ccb8c3208a910f709684840e
                                                                      • Instruction ID: 8edab8899b0228974304dfa76bdc964f5a5729fff09c5fb89d7f9bd6055596d6
                                                                      • Opcode Fuzzy Hash: 3a3c8e021aac443e7d1b39a8b6dfaba58084c306ccb8c3208a910f709684840e
                                                                      • Instruction Fuzzy Hash: ADF05E71A041049AC700DFA4D9499AEB374EF10314F61457BE912F21E0D7B85E119B2A
                                                                      Function 00404D9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490windowmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003F9), ref: 00404DB5
                                                                      • GetDlgItem.USER32(?,00000408), ref: 00404DC2
                                                                      • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E0E
                                                                      • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E25
                                                                      • SetWindowLongW.USER32(?,000000FC,004053B7), ref: 00404E3F
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E53
                                                                      • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404E67
                                                                      • SendMessageW.USER32(?,00001109,00000002), ref: 00404E7C
                                                                      • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404E88
                                                                      • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404E9A
                                                                      • DeleteObject.GDI32(00000110), ref: 00404E9F
                                                                      • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404ECA
                                                                      • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ED6
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F71
                                                                      • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404FA1
                                                                        • Part of subcall function 00404366: SendMessageW.USER32(00000028,?,00000001,00404191), ref: 00404374
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FB5
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00404FE3
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404FF1
                                                                      • ShowWindow.USER32(?,00000005), ref: 00405001
                                                                      • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405102
                                                                      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405164
                                                                      • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405179
                                                                      • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040519D
                                                                      • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051C0
                                                                      • ImageList_Destroy.COMCTL32(?), ref: 004051D5
                                                                      • GlobalFree.KERNEL32(?), ref: 004051E5
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040525E
                                                                      • SendMessageW.USER32(?,00001102,?,?), ref: 00405307
                                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405316
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00405340
                                                                      • ShowWindow.USER32(?,00000000), ref: 0040538E
                                                                      • GetDlgItem.USER32(?,000003FE), ref: 00405399
                                                                      • ShowWindow.USER32(00000000), ref: 004053A0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                      • String ID: $M$N
                                                                      • API String ID: 2564846305-813528018
                                                                      • Opcode ID: e65f9a1c394212a9998e8446e7bde38381c40a8c32278b0b704a2027b11c527a
                                                                      • Instruction ID: f13cb60032faeb06b1ff68bd0c1dc2f430bb97b794b1e627908efdb4cc4bd96d
                                                                      • Opcode Fuzzy Hash: e65f9a1c394212a9998e8446e7bde38381c40a8c32278b0b704a2027b11c527a
                                                                      • Instruction Fuzzy Hash: 04127DB0900609EFDF209F95CD45AAE7BB5FB84314F10817AFA10BA2E1D7798951CF58
                                                                      Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                      • BeginPaint.USER32(?,?), ref: 00401047
                                                                      • GetClientRect.USER32(?,?), ref: 0040105B
                                                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                      • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                      • DeleteObject.GDI32(?), ref: 004010ED
                                                                      • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                      • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                      • DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                      • DeleteObject.GDI32(?), ref: 00401165
                                                                      • EndPaint.USER32(?,?), ref: 0040116E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                      • String ID: F
                                                                      • API String ID: 941294808-1304234792
                                                                      • Opcode ID: 80cfb8c675e835c75fd7954a1f24ba06797c47b4a778c986a5d394adc8f03950
                                                                      • Instruction ID: d01d0d5cc9b133415a9533ecc51a0e37331fb978861fbb258d472761deeb6ec3
                                                                      • Opcode Fuzzy Hash: 80cfb8c675e835c75fd7954a1f24ba06797c47b4a778c986a5d394adc8f03950
                                                                      • Instruction Fuzzy Hash: 80418C71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA1A0CB34D955DFA4
                                                                      Function 00406027 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061C2,?,?), ref: 00406062
                                                                      • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 0040606B
                                                                        • Part of subcall function 00405E36: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E46
                                                                        • Part of subcall function 00405E36: lstrlenA.KERNEL32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78
                                                                      • GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 00406088
                                                                      • wsprintfA.USER32 ref: 004060A6
                                                                      • GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 004060E1
                                                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060F0
                                                                      • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406128
                                                                      • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 0040617E
                                                                      • GlobalFree.KERNEL32(00000000), ref: 0040618F
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406196
                                                                        • Part of subcall function 00405ED1: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405ED5
                                                                        • Part of subcall function 00405ED1: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405EF7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                      • String ID: %ls=%ls$[Rename]
                                                                      • API String ID: 2171350718-461813615
                                                                      • Opcode ID: 14bce744a7a2355e64489e61f924d159f8cce694719fd503f34625c38293456b
                                                                      • Instruction ID: 12f543f5511dcafe86fd679503ff52a70677b7710d95204b96aa1b9436a2079a
                                                                      • Opcode Fuzzy Hash: 14bce744a7a2355e64489e61f924d159f8cce694719fd503f34625c38293456b
                                                                      • Instruction Fuzzy Hash: AD310271200715BFC2206B659D48F2B3AACDF41714F16003ABD86BA2D3DA3DAD1186BD
                                                                      Function 0040668A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharNextW.USER32(?,*?|<>/":,00000000,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 004066ED
                                                                      • CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 004066FC
                                                                      • CharNextW.USER32(?,00000000,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406701
                                                                      • CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe",0040346A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00406714
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 0040668B
                                                                      • "C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe", xrefs: 0040668A
                                                                      • *?|<>/":, xrefs: 004066DC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Char$Next$Prev
                                                                      • String ID: "C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 589700163-2489647089
                                                                      • Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                                                      • Instruction ID: c93b7236ce9398e1af64c827f7f3df25a4e663042e3c0a86589bb20fd507ce77
                                                                      • Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
                                                                      • Instruction Fuzzy Hash: 6111CB2580061195DB3037548C84B7762E8EF547A4F52443FED86B32C0E77D5CA286BD
                                                                      Function 00404398 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowLongW.USER32(?,000000EB), ref: 004043B5
                                                                      • GetSysColor.USER32(00000000), ref: 004043F3
                                                                      • SetTextColor.GDI32(?,00000000), ref: 004043FF
                                                                      • SetBkMode.GDI32(?,?), ref: 0040440B
                                                                      • GetSysColor.USER32(?), ref: 0040441E
                                                                      • SetBkColor.GDI32(?,?), ref: 0040442E
                                                                      • DeleteObject.GDI32(?), ref: 00404448
                                                                      • CreateBrushIndirect.GDI32(?), ref: 00404452
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                      • String ID:
                                                                      • API String ID: 2320649405-0
                                                                      • Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                                                      • Instruction ID: 9b2ff1ab0d94660d7576f8ed4a98babdba82e7b09994482354a54f078556bf7c
                                                                      • Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
                                                                      • Instruction Fuzzy Hash: 9B2162715007089BCB20DF38D948B5BBBF8AF80714B04892EE996A26E1D734E904CF59
                                                                      Function 004026E4 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ReadFile.KERNEL32(?,?,?,?), ref: 00402750
                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
                                                                      • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
                                                                      • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4
                                                                        • Part of subcall function 00405FB2: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FC8
                                                                      • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                      • String ID: 9
                                                                      • API String ID: 163830602-2366072709
                                                                      • Opcode ID: 763497bc60046be8c663aa09794d62d552ffb55bb47a76c8d3cda0648ce56c07
                                                                      • Instruction ID: 536e03bdd217ed40317c2037eab2912bbb9466327a1cdf3ab0e42e9fe4cfd002
                                                                      • Opcode Fuzzy Hash: 763497bc60046be8c663aa09794d62d552ffb55bb47a76c8d3cda0648ce56c07
                                                                      • Instruction Fuzzy Hash: 2751F975D00219EBDF20DF95CA89AAEBB79FF04304F50817BE501B62D0E7B49D828B58
                                                                      Function 00404CEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D07
                                                                      • GetMessagePos.USER32 ref: 00404D0F
                                                                      • ScreenToClient.USER32(?,?), ref: 00404D29
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D3B
                                                                      • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D61
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Message$Send$ClientScreen
                                                                      • String ID: f
                                                                      • API String ID: 41195575-1993550816
                                                                      • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                      • Instruction ID: 38a9b76ebff3d9b0285b36f379b71c5e366e7bff37b4726e352de3fe70b617dc
                                                                      • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                      • Instruction Fuzzy Hash: DF014C71900219BBDB10DBA4DD85BFEBBB8AF95B11F10012BBA50B61C0D6B49A058BA5
                                                                      Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(?), ref: 00401E51
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                                      • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                                      • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CapsCreateDeviceFontIndirectRelease
                                                                      • String ID: MS Shell Dlg
                                                                      • API String ID: 3808545654-76309092
                                                                      • Opcode ID: 9a6f1723ccae85cdcaba9e8d0745f1ec3aecba43bd242a0864222bc0e19a8310
                                                                      • Instruction ID: b60ccfaacb74251373a9760c042081773c0d6d705e51916df09e3ce9171beb14
                                                                      • Opcode Fuzzy Hash: 9a6f1723ccae85cdcaba9e8d0745f1ec3aecba43bd242a0864222bc0e19a8310
                                                                      • Instruction Fuzzy Hash: 2701D871950650EFEB006BB4AE89BDA3FB0AF55301F10493AF141B71E2C6B90404DB3D
                                                                      Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
                                                                      • MulDiv.KERNEL32(02C5DA80,00000064,02C640F0), ref: 00402F74
                                                                      • wsprintfW.USER32 ref: 00402F84
                                                                      • SetWindowTextW.USER32(?,?), ref: 00402F94
                                                                      • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6
                                                                      Strings
                                                                      • verifying installer: %d%%, xrefs: 00402F7E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Text$ItemTimerWindowwsprintf
                                                                      • String ID: verifying installer: %d%%
                                                                      • API String ID: 1451636040-82062127
                                                                      • Opcode ID: 6bcafcf2706c81b52f1912ab924b82cf9755d054b6299a900247120ea4dfbd2f
                                                                      • Instruction ID: f70e2e9d3cdf76f376be3492476da2a97ecf935c4d8f5b4406c9d83c61a08eb5
                                                                      • Opcode Fuzzy Hash: 6bcafcf2706c81b52f1912ab924b82cf9755d054b6299a900247120ea4dfbd2f
                                                                      • Instruction Fuzzy Hash: F7014470640209BBEF209F60DE4AFEA3B79FB44345F008039FA06A51D1DBB989559F5C
                                                                      Function 00402E41 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402E95
                                                                      • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CloseEnum$DeleteValue
                                                                      • String ID:
                                                                      • API String ID: 1354259210-0
                                                                      • Opcode ID: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
                                                                      • Instruction ID: 0e68a9e52e1d6489b1d96d2929a27e43e5cdd4abb6d38d1bd7d6776dab24ddff
                                                                      • Opcode Fuzzy Hash: 0ef7066dde05a2ca5f9e50454b412eec226e379908bdbcc4328f96335d0522a1
                                                                      • Instruction Fuzzy Hash: 62215A71500109BBDF129F90CE89EEF7A7DEB54348F110076B905B11A0E7B48E54AAA8
                                                                      Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                                      • GetClientRect.USER32(?,?), ref: 00401DE5
                                                                      • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                                                      • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                                      • DeleteObject.GDI32(00000000), ref: 00401E39
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                      • String ID:
                                                                      • API String ID: 1849352358-0
                                                                      • Opcode ID: 78de8004f446787f372156ede0f2d89c690e9876039cb0b07cc28f686e634743
                                                                      • Instruction ID: 4c6ae9b1abf83e60acb3738700a7a9d8e0f5f354904a09afb896d410ef8a521a
                                                                      • Opcode Fuzzy Hash: 78de8004f446787f372156ede0f2d89c690e9876039cb0b07cc28f686e634743
                                                                      • Instruction Fuzzy Hash: CE212672A00119AFCB05CFA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98
                                                                      Function 00405CB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040347C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00405CB6
                                                                      • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040347C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036D9,?,00000007,00000009,0000000B), ref: 00405CC0
                                                                      • lstrcatW.KERNEL32(?,0040A014), ref: 00405CD2
                                                                      Strings
                                                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405CB0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CharPrevlstrcatlstrlen
                                                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                                                      • API String ID: 2659869361-3081826266
                                                                      • Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                                                      • Instruction ID: ab420094dca872cde134391ad8eb9d2612fe0bdf2854729f0df44d947378a899
                                                                      • Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
                                                                      • Instruction Fuzzy Hash: 0FD0A771101A30AAC1116B499D04DEF72ACEE85304741003FF641B30A0CB7C5D5297FD
                                                                      Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(00000000,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
                                                                      • GetTickCount.KERNEL32 ref: 00402FE2
                                                                      • CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
                                                                      • ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                      • String ID:
                                                                      • API String ID: 2102729457-0
                                                                      • Opcode ID: eb8a77809652c3cac4ec89cd0a4f321326171d75a79424ed64d57ab8b532068a
                                                                      • Instruction ID: cb146776896af08e1a0fdef995d2a06b2a54ad4518ff1494983f568d8b9f1051
                                                                      • Opcode Fuzzy Hash: eb8a77809652c3cac4ec89cd0a4f321326171d75a79424ed64d57ab8b532068a
                                                                      • Instruction Fuzzy Hash: 52F05E31606621EBC6716F10FE0CA8B7BA5FB44B42B52487AF441B11E5D7B608829BAD
                                                                      Function 004053B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindowVisible.USER32(?), ref: 004053E6
                                                                      • CallWindowProcW.USER32(?,?,?,?), ref: 00405437
                                                                        • Part of subcall function 0040437D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040438F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CallMessageProcSendVisible
                                                                      • String ID:
                                                                      • API String ID: 3748168415-3916222277
                                                                      • Opcode ID: c5cb8f23af6b896a3e8b7c90a0bf6a7c51e0247c130c34a679b5b1bbff870e58
                                                                      • Instruction ID: da482bbf0ee2bc432bcdf1377e528ba943c285c76ef4d04d2afca056141c401e
                                                                      • Opcode Fuzzy Hash: c5cb8f23af6b896a3e8b7c90a0bf6a7c51e0247c130c34a679b5b1bbff870e58
                                                                      • Instruction Fuzzy Hash: 4E01B131200608ABDF314F11ED81B9B3629EB84752F608037FA01752D1C7798DD29E69
                                                                      Function 00405CFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe,C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D02
                                                                      • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe,C:\Users\user\Desktop\DouWan-Video-Setup-En-4.3.0.3-x64.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D12
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: CharPrevlstrlen
                                                                      • String ID: C:\Users\user\Desktop
                                                                      • API String ID: 2709904686-224404859
                                                                      • Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                                                      • Instruction ID: 6b3ae82466a78d2b10de00fa1d507c540e6bf26c2d05194e9d44ea340b0cb8a4
                                                                      • Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
                                                                      • Instruction Fuzzy Hash: 48D05EB24109209AC3126705EC089AF67A8EF5130074A842BF841A61A5D7785C8186AC
                                                                      Function 00405E36 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E46
                                                                      • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E5E
                                                                      • CharNextA.USER32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E6F
                                                                      • lstrlenA.KERNEL32(00000000,?,00000000,0040611B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E78
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2149496439.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                      • Associated: 00000000.00000002.2149477247.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149517999.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149538277.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2149735775.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_400000_DouWan-Video-Setup-En-4.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen$CharNextlstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 190613189-0
                                                                      • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                      • Instruction ID: 98c30faecf84a4e678f1c8c5aee25e578da6ba24d366b38437dab149ad6906fd
                                                                      • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                      • Instruction Fuzzy Hash: 4AF06232504458FFD7029BA5DD04DAEBBA8EF16354B2540AAE884F7210D674EF01DBA9

                                                                      Non-executed Functions

                                                                      Function 00007FFDF82F1EC0 Relevance: 107.1, APIs: 54, Strings: 7, Instructions: 344windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Debug@@$Image@@Logger@@Message$?warning@$??6@?height@?size@?width@Null@Size@@Size@@@
                                                                      • String ID: ICCP$QWebpHandler::write() source image too large for WebP: $VP8X$failed to encode webp picture, error code: $failed to import image data to webp picture.$failed to init webp picture and config$source image is null.
                                                                      • API String ID: 3929610831-1702430057
                                                                      • Opcode ID: 74d70275c3c8a84923e4019403e04f85aec3eb76cce4531a11a7b09d7e9620bf
                                                                      • Instruction ID: 6c03e8d6065bfb570edc7e00471df2c2d812d1fed9ee8f94bfa9fc79cf146e63
                                                                      • Opcode Fuzzy Hash: 74d70275c3c8a84923e4019403e04f85aec3eb76cce4531a11a7b09d7e9620bf
                                                                      • Instruction Fuzzy Hash: DEF18632B18A9387EB10AB60E864ABD23A0FF95744F440131D95E87ABDEF3CE549D705
                                                                      Function 00007FFDF8382A60 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 254windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Logger@@Message$?warning@
                                                                      • String ID: Invalid EXIF orientation$QTiffHandler::canRead() called with no device$foo
                                                                      • API String ID: 3543197520-3963478227
                                                                      • Opcode ID: 4fe0bd8598bf6bb4983bddb56635a9324b59e81cf79176083ac070d46261092e
                                                                      • Instruction ID: c95e0fc8ccafdb2742098e2788e8457391271bb2d89f29958d23595ec47a69b3
                                                                      • Opcode Fuzzy Hash: 4fe0bd8598bf6bb4983bddb56635a9324b59e81cf79176083ac070d46261092e
                                                                      • Instruction Fuzzy Hash: 90B19963B0864297EB207B90D460BB826E0EF54344F488032DE6D836EDDF7CE555E70A
                                                                      Function 00007FFDF834E0F0 Relevance: 13.7, APIs: 9, Instructions: 247COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • log10.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDF834E681,?,?,?,00007FFDF82F21CB), ref: 00007FFDF834E208
                                                                      • log10.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDF834E681,?,?,?,00007FFDF82F21CB), ref: 00007FFDF834E22D
                                                                      • log10.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDF834E681,?,?,?,00007FFDF82F21CB), ref: 00007FFDF834E296
                                                                      • log10.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDF834E681,?,?,?,00007FFDF82F21CB), ref: 00007FFDF834E2BB
                                                                      • log10.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDF834E681,?,?,?,00007FFDF82F21CB), ref: 00007FFDF834E31A
                                                                      • log10.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDF834E681,?,?,?,00007FFDF82F21CB), ref: 00007FFDF834E33F
                                                                      • log10.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDF834E681,?,?,?,00007FFDF82F21CB), ref: 00007FFDF834E3B5
                                                                      • log10.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDF834E681,?,?,?,00007FFDF82F21CB), ref: 00007FFDF834E3DA
                                                                      • log10.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFDF834E681,?,?,?,00007FFDF82F21CB), ref: 00007FFDF834E450
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: log10
                                                                      • String ID:
                                                                      • API String ID: 1421435071-0
                                                                      • Opcode ID: 83d3b014566166180e8ab7fc0c99676ae24a1c0772858b32b707239838aedf36
                                                                      • Instruction ID: b92915c3b0aa749bf2553039c69db1a420231b3b7c48fdc7ce5fdc9fced54b87
                                                                      • Opcode Fuzzy Hash: 83d3b014566166180e8ab7fc0c99676ae24a1c0772858b32b707239838aedf36
                                                                      • Instruction Fuzzy Hash: 98A19A21B24F854BD607A73981516B9E396BF567D0F1CC332EA5F72798EF38B1829600
                                                                      Function 6AD13D30 Relevance: 10.6, APIs: 7, Instructions: 50COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlCaptureContext.KERNEL32 ref: 6AD13D44
                                                                      • RtlLookupFunctionEntry.KERNEL32 ref: 6AD13D5B
                                                                      • RtlVirtualUnwind.KERNEL32 ref: 6AD13D9D
                                                                      • SetUnhandledExceptionFilter.KERNEL32 ref: 6AD13DE4
                                                                      • UnhandledExceptionFilter.KERNEL32 ref: 6AD13DF1
                                                                      • GetCurrentProcess.KERNEL32 ref: 6AD13DF7
                                                                      • TerminateProcess.KERNEL32 ref: 6AD13E05
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2407098796.000000006AD01000.00000020.00000001.01000000.00000026.sdmp, Offset: 6AD00000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2407068238.000000006AD00000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407128998.000000006AD17000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407154507.000000006AD1F000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407177787.000000006AD20000.00000004.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407201919.000000006AD23000.00000008.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD24000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD3A000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_6ad00000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtual
                                                                      • String ID:
                                                                      • API String ID: 3266983031-0
                                                                      • Opcode ID: e25a2eba3bb974ca31e6866bc0f1bcbe921636972d9ec00068eb04c2b96157df
                                                                      • Instruction ID: 1a35d0df0f6877f1c7c05cfb0e93b5f3f88979a33bff7098ca85dbe4b6078f0a
                                                                      • Opcode Fuzzy Hash: e25a2eba3bb974ca31e6866bc0f1bcbe921636972d9ec00068eb04c2b96157df
                                                                      • Instruction Fuzzy Hash: 45212875715B0489FB00AB61F85439937A6BB0B788F504526DA4F63F24EF3ACA64CB41
                                                                      Function 6AD13C50 Relevance: 7.6, APIs: 5, Instructions: 55timethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemTimeAsFileTime.KERNEL32 ref: 6AD13C95
                                                                      • GetCurrentProcessId.KERNEL32 ref: 6AD13CA0
                                                                      • GetCurrentThreadId.KERNEL32 ref: 6AD13CA8
                                                                      • GetTickCount.KERNEL32 ref: 6AD13CB0
                                                                      • QueryPerformanceCounter.KERNEL32 ref: 6AD13CBD
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2407098796.000000006AD01000.00000020.00000001.01000000.00000026.sdmp, Offset: 6AD00000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2407068238.000000006AD00000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407128998.000000006AD17000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407154507.000000006AD1F000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407177787.000000006AD20000.00000004.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407201919.000000006AD23000.00000008.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD24000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD3A000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_6ad00000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                      • String ID:
                                                                      • API String ID: 1445889803-0
                                                                      • Opcode ID: 92cf35f156f9772a9a2918826c71be0e16fcab00f7cdc28badb123a2b0ddc0d4
                                                                      • Instruction ID: 440afaf3b03659c926f05e34df46ae52d139ef04081774a35e7ce40e148cadc9
                                                                      • Opcode Fuzzy Hash: 92cf35f156f9772a9a2918826c71be0e16fcab00f7cdc28badb123a2b0ddc0d4
                                                                      • Instruction Fuzzy Hash: 6F11A322756B1486FB40AB25F804319A262B74ABE4F485231DE6E13F94DF3CCD96CB01
                                                                      Function 00007FFDF83A6090 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 483COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: atan2
                                                                      • String ID: 16InitState
                                                                      • API String ID: 4237371541-2050202777
                                                                      • Opcode ID: db5038beacac66bf14488d47fc3a4c8e32ff7b706a096c24a8ba38b9869ae649
                                                                      • Instruction ID: 28a201ffb5e95036e81af3437486226e50fc8cc8a9542365fd7e0be6e4e937df
                                                                      • Opcode Fuzzy Hash: db5038beacac66bf14488d47fc3a4c8e32ff7b706a096c24a8ba38b9869ae649
                                                                      • Instruction Fuzzy Hash: 9D224C12B1C9C587D32B7F2C98676F4A3E5AFA4345F095331DA469E7A8EF36D642C200
                                                                      Function 00007FFDF833E110 Relevance: 5.3, APIs: 4, Instructions: 262COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: memcpy
                                                                      • String ID:
                                                                      • API String ID: 3510742995-0
                                                                      • Opcode ID: 23e14d699e8ccff73e7cb97ceae3be9dd6d452cb41d6cdb1609cc89309208bea
                                                                      • Instruction ID: 144226e691114b296518eda9d5d5c5e1dda40ffa15b2db44efa15b6e7e51c844
                                                                      • Opcode Fuzzy Hash: 23e14d699e8ccff73e7cb97ceae3be9dd6d452cb41d6cdb1609cc89309208bea
                                                                      • Instruction Fuzzy Hash: 55912632B1859187D7249B15E840BAA77D1F7D8791F588235DE6EC3FE8DA3CD5809B00
                                                                      Function 00007FFDF82F1B60 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: ByteImage@@$Array@@$Painter@@$Color$CompositionV0@@$?setData@Device@@Space@@$?const?device@?fromHandler@@ImageMode@Mode@1@@Rect@@V0@$$$?bits@?bytes?detach@?draw?fill?read?sizeAll@Array@@@Bytes@Color@Color@@Color@@@Device@@@Format@0@@GlobalImage@Image@@@Line@PaintProfile@Qt@@@Rect@Space@Space@@@
                                                                      • String ID: ICCP
                                                                      • API String ID: 1275641403-96187904
                                                                      • Opcode ID: 802b2240eb689a3a4ff9afbc4f475b4d1b30be4d2e3846756243199c517e4c15
                                                                      • Instruction ID: 260a3f9266938bfb6613948977163c1d2506a315afabbb2466776a2834e701ef
                                                                      • Opcode Fuzzy Hash: 802b2240eb689a3a4ff9afbc4f475b4d1b30be4d2e3846756243199c517e4c15
                                                                      • Instruction Fuzzy Hash: F3915F31B08A83C7EB619B61D464AAD33A0FB44B49F444031CE5E9A6E8EF3CF549D346
                                                                      Function 00007FFDF8398B10 Relevance: 42.1, APIs: 11, Strings: 13, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: fprintf$__stdio_common_vfprintf
                                                                      • String ID: Bad Fax Lines: %lu$ Consecutive Bad Fax Lines: %lu$ Fax Data:$ Group 3 Options:$ Group 4 Options:$ (%lu = 0x%lx)$ (%u = 0x%x)$ clean$ receiver regenerated$ uncorrected errors$%s2-d encoding$%sEOL padding$%suncompressed data
                                                                      • API String ID: 1660322318-36080234
                                                                      • Opcode ID: 9c7fee4c1dbca2b486521c68db7e7fa531ee1e7715ced7a416fb69fe583e11c5
                                                                      • Instruction ID: 46e946de9e8fb90c28e859951803dc9b427cf7f86877a0eae5566ddaee039ec3
                                                                      • Opcode Fuzzy Hash: 9c7fee4c1dbca2b486521c68db7e7fa531ee1e7715ced7a416fb69fe583e11c5
                                                                      • Instruction Fuzzy Hash: AB41D3A1B0AA0697EB14FB19E46187563A1BB44788F4C5031DA2D87AFDDF2CF401E70A
                                                                      Function 00007FFDF839B894 Relevance: 24.2, APIs: 10, Strings: 6, Instructions: 195COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDBB
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDCD
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDDF
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDF1
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE03
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE15
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE2A
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE3F
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE48
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE51
                                                                        • Part of subcall function 00007FFDF8384F80: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDF8384FCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free$__stdio_common_vsprintf
                                                                      • String ID: Missing required "Colormap" tag$Out of memory for colormap copy$PhotometricInterpretation$Samples/pixel$Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d$Sorry, can not handle image
                                                                      • API String ID: 1971148152-3554203956
                                                                      • Opcode ID: 345907df334047eaf02e08b45a462177521036f4cc341d1499cfcb0cfb9601fc
                                                                      • Instruction ID: 4e336cf31b93bc1c7f1febaeec72506b97c7a55bfb14e5fb1423c23e6b89fbf0
                                                                      • Opcode Fuzzy Hash: 345907df334047eaf02e08b45a462177521036f4cc341d1499cfcb0cfb9601fc
                                                                      • Instruction Fuzzy Hash: C391A262B0861693EB58FB91D5A09B923E5FF44744F080035DA2DC7AE9DF3CE560A34A
                                                                      Function 00007FFDF82F1520 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 60windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Byte$Array@@$Device@@Handler@@ImageLogger@@MessageWith@$?device@?ends?peek@?set?starts?warning@Array@@@Array@@_Format@
                                                                      • String ID: QWebpHandler::canRead() called with no device$RIFF$WEBP
                                                                      • API String ID: 4149987770-97849969
                                                                      • Opcode ID: e27780f831be1c744ebb45da94cdb5135227dbd95b7c49b8f71903391be5fb22
                                                                      • Instruction ID: ccd0263b4c5d4db5d2ec1c5a5f569dce4acb8293a8eaab1826852838d738e7f2
                                                                      • Opcode Fuzzy Hash: e27780f831be1c744ebb45da94cdb5135227dbd95b7c49b8f71903391be5fb22
                                                                      • Instruction Fuzzy Hash: 52215E61B08653C3EF00AB64E464A7963A0FB94755F880031C56E8A6E8EF6CF549EB46
                                                                      Function 00007FFDF839BA1B Relevance: 21.1, APIs: 10, Strings: 4, Instructions: 146COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDBB
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDCD
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDDF
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDF1
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE03
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE15
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE2A
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE3F
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE48
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE51
                                                                        • Part of subcall function 00007FFDF8384F80: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDF8384FCB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free$__stdio_common_vsprintf
                                                                      • String ID: InkSet$Samples/pixel$Sorry, can not handle image$Sorry, can not handle separated image with %s=%d
                                                                      • API String ID: 1971148152-523817340
                                                                      • Opcode ID: 69217fb0361e77cd60fe7d7f7a95100c746bb1fea924d677b32a5394148e2fa6
                                                                      • Instruction ID: 2334e4b8483ea5dd10c07dcfb71d78e73b4044dc19afe7871141ea4b6668d525
                                                                      • Opcode Fuzzy Hash: 69217fb0361e77cd60fe7d7f7a95100c746bb1fea924d677b32a5394148e2fa6
                                                                      • Instruction Fuzzy Hash: D4518122B0861693FB58BB91D5609B923E5FF40704F084035CA2DC7AE9CF7CE4A1A34B
                                                                      Function 00007FFDF8388A50 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 143stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free$bsearchqsortstrncmp
                                                                      • String ID: Failed to allocate fields array$Setting up field info failed$Tag $_TIFFMergeFields$_TIFFSetupFields$for fields array
                                                                      • API String ID: 1691287899-854170614
                                                                      • Opcode ID: bf7ef088fa8f41c5d33118f9d010cd0f10a17c2e5d02869341d7d8f391d53be3
                                                                      • Instruction ID: eb8183b0f6f9f941977e507d68ea3d0a017fbf21740bf527e75e17dbf1e6b66e
                                                                      • Opcode Fuzzy Hash: bf7ef088fa8f41c5d33118f9d010cd0f10a17c2e5d02869341d7d8f391d53be3
                                                                      • Instruction Fuzzy Hash: 1A6173B3709B4582EB50AF55E450BA973A0FB84B88F088136CEAD877ACDF38D445D319
                                                                      Function 00007FFDF8389080 Relevance: 19.9, APIs: 4, Strings: 9, Instructions: 365COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID: %.100s: Can not read TIFF directory$%s: Can not read TIFF directory count$%s: Seek error accessing TIFF directory$Can not read TIFF directory$Can not read TIFF directory count$Sanity check on directory count failed, this is probably not a valid IFD offset$Sanity check on directory count failed, zero tag directories not supported$TIFFFetchDirectory$to read TIFF directory
                                                                      • API String ID: 1294909896-1212650041
                                                                      • Opcode ID: 066cf8a328b4e53e209ad34501e3fcc23a37519a392b22376b81c9e0182144c2
                                                                      • Instruction ID: 431e7d292dcf0dc874c14954fdb58651fa802db189a8f4d06a4c7b5c0a86e268
                                                                      • Opcode Fuzzy Hash: 066cf8a328b4e53e209ad34501e3fcc23a37519a392b22376b81c9e0182144c2
                                                                      • Instruction Fuzzy Hash: BDF1E56270869287EB58AF61C4649B877A0FB04745F4C8035EE7D876EDDF2CE190E31A
                                                                      Function 00007FFDF839B9F4 Relevance: 19.6, APIs: 10, Strings: 3, Instructions: 132COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDBB
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDCD
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDDF
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDF1
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE03
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE15
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE2A
                                                                        • Part of subcall function 00007FFDF8384F80: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FFDF8384FCB
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE3F
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE48
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE51
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free$__stdio_common_vsprintf
                                                                      • String ID: Color channels$Sorry, can not handle RGB image with %s=%d$Sorry, can not handle image
                                                                      • API String ID: 1971148152-4225440703
                                                                      • Opcode ID: 42bc08ceac5a549724847c1fc283a1fc4ddb778d2ac97f0c9c3436fe8b69e542
                                                                      • Instruction ID: 09883cef95eff89e3c00becf62cd40cc9a014bbe67bf6d8f9a5e2351d98e8966
                                                                      • Opcode Fuzzy Hash: 42bc08ceac5a549724847c1fc283a1fc4ddb778d2ac97f0c9c3436fe8b69e542
                                                                      • Instruction Fuzzy Hash: 1D516022B0861693EB58BB9195609B923E5FF40744F084435CA2D87AE9CF7CE471A34B
                                                                      Function 666B1600 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 67comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2406667187.00000000665A1000.00000020.00000001.01000000.00000017.sdmp, Offset: 665A0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2406642149.00000000665A0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406792693.00000000666B7000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406820999.00000000666BA000.00000008.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406847159.00000000666BB000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406871627.00000000666BC000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406912844.0000000066701000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406945844.0000000066705000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406972363.000000006670A000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406997040.000000006670C000.00000008.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406997040.000000006670F000.00000008.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407044496.0000000066710000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_665a0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandleInstanceModule
                                                                      • String ID: CoCreateInstance$Coinitialize$Enumerating DirectInput devices$GetModuleHandle() failed with error code %lu.$Haptic error %s$Haptic: SubSystem already open.$Initializing DirectInput device
                                                                      • API String ID: 998693751-2975043485
                                                                      • Opcode ID: 9272ffcd6bc42e457b958e07283c9ec6555e6f93e26cb833a19c5ec35fcf8119
                                                                      • Instruction ID: b7ebb2d5f9698a138012187dac1a3948f4bda8462e62de1256c89901c5c5712a
                                                                      • Opcode Fuzzy Hash: 9272ffcd6bc42e457b958e07283c9ec6555e6f93e26cb833a19c5ec35fcf8119
                                                                      • Instruction Fuzzy Hash: 34316B74B08B02D2FB00CF26FC4179967A6AB55B88F440116DA0D86661EFBBC1B9C721
                                                                      Function 00007FFDF83A82A0 Relevance: 16.9, APIs: 1, Strings: 10, Instructions: 373COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: "%s": Bad mode$%s: Out of memory (TIFF structure)$Cannot read TIFF header$Error writing TIFF header$Not a TIFF file, bad BigTIFF offsetsize %d (0x%x)$Not a TIFF file, bad BigTIFF unused %d (0x%x)$Not a TIFF file, bad version number %d (0x%x)$Not a TIFF or MDI file, bad magic number %d (0x%x)$One of the client procedures is NULL pointer.$TIFFClientOpen
                                                                      • API String ID: 0-3274447622
                                                                      • Opcode ID: d6db3a3ef71fd6d4dcf05547f939b901eaf6d6ac84b51fb70e3b17a580ee4dd5
                                                                      • Instruction ID: a291231636a9c089b3660b18a7fdb86ba47140255ef0c63b9d30e54212c51650
                                                                      • Opcode Fuzzy Hash: d6db3a3ef71fd6d4dcf05547f939b901eaf6d6ac84b51fb70e3b17a580ee4dd5
                                                                      • Instruction Fuzzy Hash: 09F18266B0868282EB54BF25D460AB823D1FB40B88F5C4135DE6D8F2E9DF3CD441E75A
                                                                      Function 00007FFDF8354554 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_initialize_crt__scrt_release_startup_lock
                                                                      • String ID:
                                                                      • API String ID: 3958738658-0
                                                                      • Opcode ID: fe088858262c6c330e800ac5faba861c3fee47eae574119353fbe917f1d8f6af
                                                                      • Instruction ID: e2cc5813ec48128d0768f8bb11b04564dad8ec9167d0f5c158be969208cd3e6f
                                                                      • Opcode Fuzzy Hash: fe088858262c6c330e800ac5faba861c3fee47eae574119353fbe917f1d8f6af
                                                                      • Instruction Fuzzy Hash: 71818FA0F1824387F758BB55A460A7922E0AF45B80F0E4035D92DCB6FEDE3CF445A70A
                                                                      Function 00007FFDF83B2A24 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_fastfail__scrt_initialize_crt__scrt_release_startup_lock
                                                                      • String ID:
                                                                      • API String ID: 3958738658-0
                                                                      • Opcode ID: 801dcf9c6379743686de2328eaa9390b34e27a0999f5ff76af706428531d908f
                                                                      • Instruction ID: 371cf6eac117376d5b1d84f643bd0a6c1183060d161534a5f2e25b2c2a324ae6
                                                                      • Opcode Fuzzy Hash: 801dcf9c6379743686de2328eaa9390b34e27a0999f5ff76af706428531d908f
                                                                      • Instruction Fuzzy Hash: 8881B3A1F1864747FB54BB65A461A7922D0AF85780F1C4235D93CC73FEDE3CE802A20A
                                                                      Function 00007FFDF839B9C3 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 134COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDBB
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDCD
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDDF
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BDF1
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE03
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE15
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,00007FFDF839C364), ref: 00007FFDF839BE2A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID: Sorry, can not handle image
                                                                      • API String ID: 1294909896-3242522384
                                                                      • Opcode ID: 3c9936873320d1055a9a4a1e69940464fb7206a5a137b184882e2c29373d49ee
                                                                      • Instruction ID: 9b68052737ff5d40492c8833346ebd858599e1c95eca7183e4049bb96fd6ee00
                                                                      • Opcode Fuzzy Hash: 3c9936873320d1055a9a4a1e69940464fb7206a5a137b184882e2c29373d49ee
                                                                      • Instruction Fuzzy Hash: CE515022B0561693EB58FB91D1B09B923E5FF40744F084435DA2D87AE9CF7CE4A1A34B
                                                                      Function 00007FFDF83B20A0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 39COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: __acrt_iob_func$__stdio_common_vfprintffprintf
                                                                      • String ID: %s: $Warning,
                                                                      • API String ID: 3544570504-3792809309
                                                                      • Opcode ID: cf292787a2c997c4e24a48f9d4e079a7c4b4dab9c2167a7a5e6ecc6679327046
                                                                      • Instruction ID: 526c785ea0c7a38673073504cf02635d0686f73fe21568755ae43655f4896320
                                                                      • Opcode Fuzzy Hash: cf292787a2c997c4e24a48f9d4e079a7c4b4dab9c2167a7a5e6ecc6679327046
                                                                      • Instruction Fuzzy Hash: 4D018465B09A5243EF04BB55E425575A2E1AF44BD0F098039CE2D477FEDF2CD454930A
                                                                      Function 00007FFDF82F1480 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ??0QMessageLogger@@QEAA@PEBDH0@Z.QT5CORE(?,?,?,?,?,?,?,?,00007FFDF82F10C8), ref: 00007FFDF82F1496
                                                                      • ?warning@QMessageLogger@@QEBAXPEBDZZ.QT5CORE(?,?,?,?,?,?,?,?,00007FFDF82F10C8), ref: 00007FFDF82F14A6
                                                                      • ?peek@QIODevice@@QEAA?AVQByteArray@@_J@Z.QT5CORE(?,?,?,?,?,?,?,?,00007FFDF82F10C8), ref: 00007FFDF82F14C3
                                                                      • ?startsWith@QByteArray@@QEBA_NPEBD@Z.QT5CORE(?,?,?,?,?,?,?,?,00007FFDF82F10C8), ref: 00007FFDF82F14D5
                                                                      • ?endsWith@QByteArray@@QEBA_NPEBD@Z.QT5CORE(?,?,?,?,?,?,?,?,00007FFDF82F10C8), ref: 00007FFDF82F14EB
                                                                      • ??1QByteArray@@QEAA@XZ.QT5CORE(?,?,?,?,?,?,?,?,00007FFDF82F10C8), ref: 00007FFDF82F1500
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Byte$Array@@$Logger@@MessageWith@$?ends?peek@?starts?warning@Array@@_Device@@
                                                                      • String ID: QWebpHandler::canRead() called with no device$RIFF$WEBP
                                                                      • API String ID: 1375363764-97849969
                                                                      • Opcode ID: 55b1a7c5e293ab07ad2018400af9dc8de0766d418db104b487ef0114b019f67f
                                                                      • Instruction ID: 3f9ea76c7a03c5fb21f59326a43919f30c3f29f406bd41bcec1b12c484bdfc43
                                                                      • Opcode Fuzzy Hash: 55b1a7c5e293ab07ad2018400af9dc8de0766d418db104b487ef0114b019f67f
                                                                      • Instruction Fuzzy Hash: 7001A160B08653C3EF40AB60E86097963A0FF91740F881432D55E8B6ACEE6CF50DE709
                                                                      Function 00007FFDF83A9AB0 Relevance: 15.4, APIs: 10, Instructions: 398COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID:
                                                                      • API String ID: 1294909896-0
                                                                      • Opcode ID: 390f90fe3c5ad1c7bee470314b00a857a77d2114a3ab402b075a555ee842cf1c
                                                                      • Instruction ID: 787111cb0aa2bf6ad5d396e679cef6d0efb0d27a2ac68888b6e7654886dbf016
                                                                      • Opcode Fuzzy Hash: 390f90fe3c5ad1c7bee470314b00a857a77d2114a3ab402b075a555ee842cf1c
                                                                      • Instruction Fuzzy Hash: D5F16032F29F4146D317F73650619B8B3D8EF667C4F05C332ED1AB76A9EB2864829600
                                                                      Function 00007FFDF83A9270 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free$z_deflatez_inflate
                                                                      • String ID:
                                                                      • API String ID: 70878489-0
                                                                      • Opcode ID: 6f3cc4129c8490bf092c2537e3b6516a714dc26f9084c0529401d3df7eafbf43
                                                                      • Instruction ID: a8a86ddc633e739e68ddce92a70090a6f340d8fe0dc14f5fca0fc5a408637844
                                                                      • Opcode Fuzzy Hash: 6f3cc4129c8490bf092c2537e3b6516a714dc26f9084c0529401d3df7eafbf43
                                                                      • Instruction Fuzzy Hash: C1214129B0954586FF9DBBA19075BB923E0AF44B44F0C4531DE3DDF2EDCE289050A31A
                                                                      Function 00007FFDF83AE8E0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: freememsetrealloc
                                                                      • String ID: Chunk size requested is larger than file size.$Invalid buffer size$No space for data buffer at scanline %lu$Read error at row %lu, col %lu, tile %lu; got %I64u bytes, expected %I64u$Read error at scanline %lu; got %I64u bytes, expected %I64u
                                                                      • API String ID: 4240359059-3800912084
                                                                      • Opcode ID: b51829e3ffcc60c5a047a8034bb3a078556118bf2ab94441eb785619d9ed0217
                                                                      • Instruction ID: 3652b972ef2c4a1480289e2819396e55765cba4ee1ae74466355c5f12bbce9b1
                                                                      • Opcode Fuzzy Hash: b51829e3ffcc60c5a047a8034bb3a078556118bf2ab94441eb785619d9ed0217
                                                                      • Instruction Fuzzy Hash: 0F51AE72B08B8282D790FF65E4607A963E0FB44B88F484136DE6D9B6ADDF3CD1419319
                                                                      Function 00007FFDF83ACB20 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: fprintf$__stdio_common_vfprintf
                                                                      • String ID: Predictor: $%d (0x%x)$floating point predictor $horizontal differencing $none
                                                                      • API String ID: 1660322318-2004337904
                                                                      • Opcode ID: 832712b470989b6dfb57a5651b6272928b7110d671af8d20bb6dd4ef562af284
                                                                      • Instruction ID: c93f771b70478b88a40a02615f4097b7c5383aade0624c2a4b455cdc00af9864
                                                                      • Opcode Fuzzy Hash: 832712b470989b6dfb57a5651b6272928b7110d671af8d20bb6dd4ef562af284
                                                                      • Instruction Fuzzy Hash: C511937570974283EB10BB16A86096967A0AF45BC4F9C5031DE2C4B7ACDF2EE5029745
                                                                      Function 00007FFDF83AA2E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID: (null)$1.2.11 (Qt)$PixarLog compression can't handle bits depth/data format combination (depth: %d)$PixarLogSetupDecode
                                                                      • API String ID: 1294909896-3295346816
                                                                      • Opcode ID: 279ee2e7afb5fb68677d6ca2e8bdba31e79d8b1cf57ac0696875baf7060b8135
                                                                      • Instruction ID: 37337f3fb886cafb047f34cee2ad83b07b03e2ef4e004b92fa1cf2419d3b9980
                                                                      • Opcode Fuzzy Hash: 279ee2e7afb5fb68677d6ca2e8bdba31e79d8b1cf57ac0696875baf7060b8135
                                                                      • Instruction Fuzzy Hash: 8251A527B0968182E754AF25E411BA933D0EB04B84F0C4135EE2D9B7E9DF39D446D349
                                                                      Function 00007FFDF83872A6 Relevance: 12.1, APIs: 3, Strings: 5, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID: %s: Bad value %u for "%s" tag$SamplesPerPixel tag value is changing, but SMaxSampleValue tag was read with a different value. Cancelling it$SamplesPerPixel tag value is changing, but SMinSampleValue tag was read with a different value. Cancelling it$SamplesPerPixel tag value is changing, but TransferFunction was read with a different value. Cancelling it$_TIFFVSetField
                                                                      • API String ID: 1294909896-601444508
                                                                      • Opcode ID: 74b43198d526719863889cdafa2cde274f6277c06f79ca39e2f295c97701fcb3
                                                                      • Instruction ID: 00b8827fe84c886d24f787fa8f272f9388b0f3d64831b86fc1ecffb99b6feebc
                                                                      • Opcode Fuzzy Hash: 74b43198d526719863889cdafa2cde274f6277c06f79ca39e2f295c97701fcb3
                                                                      • Instruction Fuzzy Hash: FB41916270464693DB58AB65D5605B863E1FB40740F488535D76CC72F8CF38F461E309
                                                                      Function 00007FFDF8381B00 Relevance: 12.1, APIs: 8, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Variant@@$?device@Device@@Handler@@ImageSize@@@
                                                                      • String ID:
                                                                      • API String ID: 314237183-0
                                                                      • Opcode ID: 77a013f50353ac882356e0470569c629ea19636eca2747117b420be6bd39149e
                                                                      • Instruction ID: 7cd6ad4dbeffe27972796ae460b178cbeef4cfd73550911fc96e6fb35298cfc0
                                                                      • Opcode Fuzzy Hash: 77a013f50353ac882356e0470569c629ea19636eca2747117b420be6bd39149e
                                                                      • Instruction Fuzzy Hash: E2315D66B1864183DF94AB56F56082963A1FF88FC4B0D8031DE6E47BB9CF2CE4919709
                                                                      Function 00007FFDF83B0280 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %s data at scanline %lu (%I64u != %I64u)$Fractional scanlines cannot be read$Not enough$ThunderDecode$ThunderDecodeRow$Too much
                                                                      • API String ID: 0-2054988985
                                                                      • Opcode ID: 69c1a735b9ff06f4ceecc27ce278cad92c9fadab830bca3fbd285fcf4723d7a4
                                                                      • Instruction ID: 057884f9d93e61cb968779bcf4c643d392000cda4fd81c7f9efcb4c26c793a97
                                                                      • Opcode Fuzzy Hash: 69c1a735b9ff06f4ceecc27ce278cad92c9fadab830bca3fbd285fcf4723d7a4
                                                                      • Instruction Fuzzy Hash: EA91C6A2A0CB8587EF119B19A83077967D0FB40754F5C4031DAAE877E9DE3DE041E706
                                                                      Function 666A3660 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 190COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2406667187.00000000665A1000.00000020.00000001.01000000.00000017.sdmp, Offset: 665A0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2406642149.00000000665A0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406792693.00000000666B7000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406820999.00000000666BA000.00000008.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406847159.00000000666BB000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406871627.00000000666BC000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406912844.0000000066701000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406945844.0000000066705000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406972363.000000006670A000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406997040.000000006670C000.00000008.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406997040.000000006670F000.00000008.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407044496.0000000066710000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_665a0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: UTF-16LE$UTF-8
                                                                      • API String ID: 0-3488809055
                                                                      • Opcode ID: fc3e504b48c9c7cec189db747d76f937c4e17376aa76ae21db14ec7cbc48ca9f
                                                                      • Instruction ID: 20600b6e2ed9eb8dc55a1d3a78a502661783753a2f02a431d4d48a1afcc04f62
                                                                      • Opcode Fuzzy Hash: fc3e504b48c9c7cec189db747d76f937c4e17376aa76ae21db14ec7cbc48ca9f
                                                                      • Instruction Fuzzy Hash: 2271C3A671878081EB208F66F80039AB7A1FB85B94F448126DE8DD7B58EF7DCC45CB14
                                                                      Function 00007FFDF83ACA00 Relevance: 10.6, APIs: 3, Strings: 4, Instructions: 77COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: freememcpy
                                                                      • String ID: (cc0%rowsize)!=0$Out of memory allocating %lld byte temp buffer.$PredictorEncodeTile$PredictorEncodeTile
                                                                      • API String ID: 3223336191-847376769
                                                                      • Opcode ID: 4934ee31c2c437c1b443761c473128ca5302d681fbb075c87f87554773073823
                                                                      • Instruction ID: 7b2221a48605c682d2a828afaa8122e22286446b8e45be5d5d2af8a060ef36d0
                                                                      • Opcode Fuzzy Hash: 4934ee31c2c437c1b443761c473128ca5302d681fbb075c87f87554773073823
                                                                      • Instruction Fuzzy Hash: 8F21D856B04A8283DB14FB52A824DB59391BF48FD4F4D0431DD3D9B7A9DE3CD5069305
                                                                      Function 6AD13FA9 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 72memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • VirtualProtect failed with code 0x%x, xrefs: 6AD14094
                                                                      • Address %p has no image-section, xrefs: 6AD140BF
                                                                      • VirtualQuery failed for %d bytes at address %p, xrefs: 6AD140AE
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2407098796.000000006AD01000.00000020.00000001.01000000.00000026.sdmp, Offset: 6AD00000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2407068238.000000006AD00000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407128998.000000006AD17000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407154507.000000006AD1F000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407177787.000000006AD20000.00000004.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407201919.000000006AD23000.00000008.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD24000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD3A000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_6ad00000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$ErrorLastProtectQuery
                                                                      • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                      • API String ID: 637304234-2123141913
                                                                      • Opcode ID: aaaa8ea5ce62d4f1a75634d9c15bf9fdeb75d1e800c9b1f4d7e8f13802af624c
                                                                      • Instruction ID: 0df815d85ad666c0bb94969ffc96d311e86f15fbd1fdb8d12b16595218078f2c
                                                                      • Opcode Fuzzy Hash: aaaa8ea5ce62d4f1a75634d9c15bf9fdeb75d1e800c9b1f4d7e8f13802af624c
                                                                      • Instruction Fuzzy Hash: 3B21D2E2705A4186EB00EF16F8983997766FB86BECF424116CE0E17BA4DF39CA45C741
                                                                      Function 00007FFDF83B2150 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: __acrt_iob_func$__stdio_common_vfprintf$fprintf
                                                                      • String ID: %s:
                                                                      • API String ID: 1421828120-4275611816
                                                                      • Opcode ID: 6601c7c920f215359da97f5ef841344a6932af81ddc5df4ff61da0b686cc5ccc
                                                                      • Instruction ID: e6bd44450b901d11dfc4ed0d5bee90a54d183f2bcb7a45ebd1b071218fc41986
                                                                      • Opcode Fuzzy Hash: 6601c7c920f215359da97f5ef841344a6932af81ddc5df4ff61da0b686cc5ccc
                                                                      • Instruction Fuzzy Hash: F4018F65B09A5283EB00BB45E424575A2E0AF48BD0F098139CE6D47BFEDE2CD4109309
                                                                      Function 00007FFDF8317330 Relevance: 10.4, APIs: 8, Instructions: 447COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: memset$memcpy
                                                                      • String ID:
                                                                      • API String ID: 368790112-0
                                                                      • Opcode ID: 604373e78719a2df3c447fa9f5c26d3b938946fd1f03aba4fc311e6ed665e57a
                                                                      • Instruction ID: 3a33588cb12647eb847a37875c3fafe41ff5d955cb696cf1f17dc69c90cde2d6
                                                                      • Opcode Fuzzy Hash: 604373e78719a2df3c447fa9f5c26d3b938946fd1f03aba4fc311e6ed665e57a
                                                                      • Instruction Fuzzy Hash: 68423E06E19BC592E701CB3C86196FC2760F7AAB48F19E325CF9852267EF2572D9D301
                                                                      Function 6AD140D0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 295memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VirtualQuery.KERNEL32(?,?,?,?,?,6AD16074,?,?,?,?,?,6AD01315), ref: 6AD14280
                                                                      • VirtualProtect.KERNEL32(?,?,?,?,?,6AD16074,?,?,?,?,?,6AD01315), ref: 6AD142A2
                                                                      Strings
                                                                      • Unknown pseudo relocation bit size %d., xrefs: 6AD1435B
                                                                      • Unknown pseudo relocation protocol version %d., xrefs: 6AD143BC
                                                                      • VirtualQuery failed for %d bytes at address %p, xrefs: 6AD140AE, 6AD143A5
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2407098796.000000006AD01000.00000020.00000001.01000000.00000026.sdmp, Offset: 6AD00000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2407068238.000000006AD00000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407128998.000000006AD17000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407154507.000000006AD1F000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407177787.000000006AD20000.00000004.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407201919.000000006AD23000.00000008.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD24000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD3A000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_6ad00000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$ProtectQuery
                                                                      • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
                                                                      • API String ID: 1027372294-974437099
                                                                      • Opcode ID: 126e2ee3fb9cc3533af89323a96c62ee4ba6ed6eb7f1c0847afd590886db1181
                                                                      • Instruction ID: b8192e843a974b1942daf94e8883e5c9129347d226c9f4bc29619732768a563e
                                                                      • Opcode Fuzzy Hash: 126e2ee3fb9cc3533af89323a96c62ee4ba6ed6eb7f1c0847afd590886db1181
                                                                      • Instruction Fuzzy Hash: F5A147E570891085FB008B66F8D074A7262BB86BACF978115CE1E47799DF3DCC81C751
                                                                      Function 00007FFDF8388870 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • bsearch.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,00007FFDF83819CB), ref: 00007FFDF83889A6
                                                                      • qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,00007FFDF83819CB), ref: 00007FFDF8388A21
                                                                        • Part of subcall function 00007FFDF8384930: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,00007FFDF8385DD7), ref: 00007FFDF8384980
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: bsearchqsortrealloc
                                                                      • String ID: Failed to allocate fields array$_TIFFMergeFields$for fields array
                                                                      • API String ID: 1943641390-3723289973
                                                                      • Opcode ID: 9edf5fcaad085483cc5d37472964cdcca8bf6b60518cdfc55d7e43d0f3966cf0
                                                                      • Instruction ID: 7ec89ec88d541c63d2ca01b8c3aef77a30d26ee6b42751663d4cbe231973b373
                                                                      • Opcode Fuzzy Hash: 9edf5fcaad085483cc5d37472964cdcca8bf6b60518cdfc55d7e43d0f3966cf0
                                                                      • Instruction Fuzzy Hash: E84190B3B09B8182EB509F65E410AA973E0FB44B84F48813ADE9C477ACDF38D441D719
                                                                      Function 00007FFDF83B19E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: z_inflate
                                                                      • String ID: Decoding error at scanline %lu, %s$Not enough data at scanline %lu (short %llu bytes)$ZIPDecode$ZLib error: %s
                                                                      • API String ID: 2068748791-2346482635
                                                                      • Opcode ID: f13a015baac4d84e0d0b496980449bbddaf320ffca9340323c00a26a5486fa0c
                                                                      • Instruction ID: aa35db932a39657495b169f5e8d4463ad4f1070cb3d78cebe4a3687cce9428ff
                                                                      • Opcode Fuzzy Hash: f13a015baac4d84e0d0b496980449bbddaf320ffca9340323c00a26a5486fa0c
                                                                      • Instruction Fuzzy Hash: D541BEB2708B8686DB10DF15F854AA973A4F744788F494136EEAD873A8DF3CE085D309
                                                                      Function 00007FFDF82F1310 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Array@@ByteColorColor@@Handler@@ImageSpace@@
                                                                      • String ID: K
                                                                      • API String ID: 4212315815-856455061
                                                                      • Opcode ID: 0cbd37184ef6567ffc52471c6d367b4a9fde5ccc09d7d1d37c3760418053a44b
                                                                      • Instruction ID: fd6fb3ce8151efe63ad2ac4d711b5d88da8da523ce5948a64c3e1300a9646982
                                                                      • Opcode Fuzzy Hash: 0cbd37184ef6567ffc52471c6d367b4a9fde5ccc09d7d1d37c3760418053a44b
                                                                      • Instruction Fuzzy Hash: D2112E22D14B8282D740DF30E9907B973A0FBA9B08F596336DA5C46269EF38E5D4C351
                                                                      Function 00007FFDF834D2D0 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 251COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: memset
                                                                      • String ID: RIFF$VP8L$WEBP
                                                                      • API String ID: 2221118986-2152065085
                                                                      • Opcode ID: a27f81fd172f2e56f719e9dcd81b0310164ace9c021efc74f993d6d69a9fd8e5
                                                                      • Instruction ID: 47286d150199de610222b3f05ad63318d178ad0ce33ed87a57a02f29dde64107
                                                                      • Opcode Fuzzy Hash: a27f81fd172f2e56f719e9dcd81b0310164ace9c021efc74f993d6d69a9fd8e5
                                                                      • Instruction Fuzzy Hash: F7B18D32B096429BF704EF61D4207AD37A1EB44788F484039DE1E9BA9DDF38EA05D745
                                                                      Function 00007FFDF83902C0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID: for chopped "StripByteCounts" array$for chopped "StripOffsets" array
                                                                      • API String ID: 1294909896-2417079542
                                                                      • Opcode ID: d86b111e018857a38258b68bd623036452e3fbed587d3e2cc27d7e1e4c30774d
                                                                      • Instruction ID: 13209d129c23e3d35448855e9988b8e10a6e6be851bdf26f14571b0948ffe5b1
                                                                      • Opcode Fuzzy Hash: d86b111e018857a38258b68bd623036452e3fbed587d3e2cc27d7e1e4c30774d
                                                                      • Instruction Fuzzy Hash: 4831F622B1564143EB14FB62A5306ABA7D1FB84B98F484134DE7E877E8DF3CE4459704
                                                                      Function 00007FFDF82F1A60 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Variant@@$Color@@Size@@@
                                                                      • String ID:
                                                                      • API String ID: 1196172551-0
                                                                      • Opcode ID: 66a60cd59023b7d9fd64e8751457f9509053d489389161ac68cf9b0b8702ba61
                                                                      • Instruction ID: a4a87d98dd0f43100d46c6b611a7d6cb11323d169a1cc55296b149d5aa24ddfb
                                                                      • Opcode Fuzzy Hash: 66a60cd59023b7d9fd64e8751457f9509053d489389161ac68cf9b0b8702ba61
                                                                      • Instruction Fuzzy Hash: 6E214D66B0868182DB908B1AF55042E6360FB89BD0B8C1031EF6E47B5DDF3CF991DB04
                                                                      Function 00007FFDF8381940 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: ?device@Device@@Handler@@Image
                                                                      • String ID: foo
                                                                      • API String ID: 1809623744-2356372769
                                                                      • Opcode ID: 96d6bf24350cdc907b93a994e3fba6d10c8576f66e9036764c6ea2a8b883907f
                                                                      • Instruction ID: c07d2da07c9e7f3c3b2da0f18dad46deba13f6fa7cdad8cefb16347bc1189ecf
                                                                      • Opcode Fuzzy Hash: 96d6bf24350cdc907b93a994e3fba6d10c8576f66e9036764c6ea2a8b883907f
                                                                      • Instruction Fuzzy Hash: 42212876B09B4283EB01AB51E4605B933E5FB45B80F484131D96D837B8EF3CE159D749
                                                                      Function 00007FFDF83AA120 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: z_deflate
                                                                      • String ID: (null)$PixarLogPostEncode$ZLib error: %s
                                                                      • API String ID: 1885210868-2356091595
                                                                      • Opcode ID: c6cd366a6c0bb7239cc2f4ad71fd62cc39c69bdc424a3844ce49632ad7549a85
                                                                      • Instruction ID: 5772a078c6a6b4d0bdfbf5f059c487626bed447bea5a98ad57f805976a8083bd
                                                                      • Opcode Fuzzy Hash: c6cd366a6c0bb7239cc2f4ad71fd62cc39c69bdc424a3844ce49632ad7549a85
                                                                      • Instruction Fuzzy Hash: 0E115936B09A8287DB54AF21E4507AA73A0F748B84F584431EBAE873A9CE38E5458344
                                                                      Function 666B4480 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2406667187.00000000665A1000.00000020.00000001.01000000.00000017.sdmp, Offset: 665A0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2406642149.00000000665A0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406792693.00000000666B7000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406820999.00000000666BA000.00000008.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406847159.00000000666BB000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406871627.00000000666BC000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406912844.0000000066701000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406945844.0000000066705000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406972363.000000006670A000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406997040.000000006670C000.00000008.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2406997040.000000006670F000.00000008.00000001.01000000.00000017.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407044496.0000000066710000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_665a0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: FrequencyPerformanceQueryTimetime
                                                                      • String ID: SDL_TIMER_RESOLUTION
                                                                      • API String ID: 1504312704-587407577
                                                                      • Opcode ID: 27d52d1fe4739a2003d01b437a9c47052c132e6ae345cd5fab0bc2b713061266
                                                                      • Instruction ID: 940002dcff8e8049a7b3d3e9bc33cdc685d5413e212b7c654254a97b7126aeb8
                                                                      • Opcode Fuzzy Hash: 27d52d1fe4739a2003d01b437a9c47052c132e6ae345cd5fab0bc2b713061266
                                                                      • Instruction Fuzzy Hash: 3A0169F461CA12C7F7048F64F8A47663766F70832CF500128C809822A9DFBF88B9CB20
                                                                      Function 6AD01430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2407098796.000000006AD01000.00000020.00000001.01000000.00000026.sdmp, Offset: 6AD00000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2407068238.000000006AD00000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407128998.000000006AD17000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407154507.000000006AD1F000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407177787.000000006AD20000.00000004.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407201919.000000006AD23000.00000008.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD24000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD3A000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_6ad00000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: AddressHandleModuleProc
                                                                      • String ID: _Jv_RegisterClasses$libgcj-16.dll
                                                                      • API String ID: 1646373207-328863460
                                                                      • Opcode ID: 53af56a3158cd6b4fe6df107c02055e7daa0be773874949d26726cebdd3e3d3e
                                                                      • Instruction ID: 4ed299b0863a2f0b747778280f5f8b7db35487ddfe9123ad69de31462a8d1586
                                                                      • Opcode Fuzzy Hash: 53af56a3158cd6b4fe6df107c02055e7daa0be773874949d26726cebdd3e3d3e
                                                                      • Instruction Fuzzy Hash: 4AF08224716600D4FE15FFA5F89436422A6BB4A788FC60016E40F127B0EF7DCAA5CF22
                                                                      Function 00007FFDF82F3C90 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 209COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447672834.00007FFDF82F1000.00000020.00000001.01000000.0000003F.sdmp, Offset: 00007FFDF82F0000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447603284.00007FFDF82F0000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447800943.00007FFDF8356000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447834616.00007FFDF8368000.00000004.00000001.01000000.0000003F.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2447897290.00007FFDF836B000.00000002.00000001.01000000.0000003F.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf82f0000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: memcpy
                                                                      • String ID: Could not decode alpha data.
                                                                      • API String ID: 3510742995-3483007141
                                                                      • Opcode ID: 8fa7d9faeb0153af42e7e3f12ed68b4456c7177e65d7644616b2e2be4a75a33a
                                                                      • Instruction ID: f5ee27beaefbd2fbb2eda5963df0a91823a4b5a77cc364dc1f2c290bede4748a
                                                                      • Opcode Fuzzy Hash: 8fa7d9faeb0153af42e7e3f12ed68b4456c7177e65d7644616b2e2be4a75a33a
                                                                      • Instruction Fuzzy Hash: D7919D72704A8587DB68DF29D595BA8B3A0FB84B88F004135DA6D8B789DF38E460C744
                                                                      Function 00007FFDF83AEAE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFDF83AE011,?,?,00000000,00000000,00007FFDF83AF370,?,?,?,?,?,?,00007FFDF838286D), ref: 00007FFDF83AEB14
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID: Invalid buffer size$No space for data buffer at scanline %lu$TIFFReadBufferSetup
                                                                      • API String ID: 1294909896-1524901191
                                                                      • Opcode ID: bcfc94db33ecfdf0a17017cbd32c67b6a7c7dc5c5ef55a25ce4e9205276a6774
                                                                      • Instruction ID: 9af9afc387326cf3357d5d0247c3811cd0e2b659c1e8605b57d25bf586cf186d
                                                                      • Opcode Fuzzy Hash: bcfc94db33ecfdf0a17017cbd32c67b6a7c7dc5c5ef55a25ce4e9205276a6774
                                                                      • Instruction Fuzzy Hash: 0E21B172B1978283EB44AF15E450BA933A0FB04B98F480235DA3D8B7EDDF38D1418345
                                                                      Function 6AD13F70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      • Address %p has no image-section, xrefs: 6AD13F77, 6AD140BF
                                                                      • VirtualQuery failed for %d bytes at address %p, xrefs: 6AD140AE
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2407098796.000000006AD01000.00000020.00000001.01000000.00000026.sdmp, Offset: 6AD00000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2407068238.000000006AD00000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407128998.000000006AD17000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407154507.000000006AD1F000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407177787.000000006AD20000.00000004.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407201919.000000006AD23000.00000008.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD24000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2407225283.000000006AD3A000.00000002.00000001.01000000.00000026.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_6ad00000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: QueryVirtual
                                                                      • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                                                                      • API String ID: 1804819252-157664173
                                                                      • Opcode ID: 5be1e26b420b105750eb559ef7ac945fe9260c8d46f349dae294e561c3626714
                                                                      • Instruction ID: 0c579cf1feed931af2ad471931208e9818ad326ae5f5cfef42b847f5dc675bea
                                                                      • Opcode Fuzzy Hash: 5be1e26b420b105750eb559ef7ac945fe9260c8d46f349dae294e561c3626714
                                                                      • Instruction Fuzzy Hash: C13126E2305A4499F601EF02FC84B55772AB78ABE8F868125DE0D07B54EF38C942C741
                                                                      Function 00007FFDF83AA200 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Resetz_inflate
                                                                      • String ID: PixarLogPreDecode$ZLib cannot deal with buffers this size
                                                                      • API String ID: 347135615-3964391605
                                                                      • Opcode ID: dfc3879029be52ddb8b007023722cda38a97f6fd4e51e58d067702928931885a
                                                                      • Instruction ID: f40a403c3536c12ebfc40db517b422f9ca82bd884114c047ddb9d7528dd16736
                                                                      • Opcode Fuzzy Hash: dfc3879029be52ddb8b007023722cda38a97f6fd4e51e58d067702928931885a
                                                                      • Instruction Fuzzy Hash: FEF082B7B02A8683DB44AB19D8A57D863A0F744B44F9C4436C65DCB3B4DE29D1DBD304
                                                                      Function 00007FFDF83AA270 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: Resetz_deflate
                                                                      • String ID: PixarLogPreEncode$ZLib cannot deal with buffers this size
                                                                      • API String ID: 530599804-2964284436
                                                                      • Opcode ID: aad276b30edcf04c15814733ed2acc6ae20fc0e45f997d654a24fb50a3c29747
                                                                      • Instruction ID: 7959d205722f5637d17575df51609cd7d723980626ede753184af6241400f984
                                                                      • Opcode Fuzzy Hash: aad276b30edcf04c15814733ed2acc6ae20fc0e45f997d654a24fb50a3c29747
                                                                      • Instruction Fuzzy Hash: 45F054A6B02A4383DB48AB29D8A57E823A0F704B44F990036D51DC7374DE29D1978704
                                                                      Function 00007FFDF838A8E7 Relevance: 5.1, APIs: 4, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID:
                                                                      • API String ID: 1294909896-0
                                                                      • Opcode ID: bbaef3959ad465bf448f71ef575436024f5df58aeb400499214857d07ce124a1
                                                                      • Instruction ID: d61327f6b3fa5391f1429d63f21baaaf88ff24313841e8484f731034aa6b8b22
                                                                      • Opcode Fuzzy Hash: bbaef3959ad465bf448f71ef575436024f5df58aeb400499214857d07ce124a1
                                                                      • Instruction Fuzzy Hash: 17311523B0D64183E755AB58F05156E62D4EB843A0F498131EFACC7AE8DF3CD4829706
                                                                      Function 00007FFDF838C967 Relevance: 5.1, APIs: 4, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID:
                                                                      • API String ID: 1294909896-0
                                                                      • Opcode ID: 11adddb65c3605358e22526537acdcca133e5fd9d9dfc66f2be4c93d298e8805
                                                                      • Instruction ID: 563eebbb807a29b1c51613dc3885b7a48192e3af1f1d15cedbcfeef2d3daf9a4
                                                                      • Opcode Fuzzy Hash: 11adddb65c3605358e22526537acdcca133e5fd9d9dfc66f2be4c93d298e8805
                                                                      • Instruction Fuzzy Hash: AB31A323B0C64283E794EB64A06093A66D0EB44794F188630DAADC76FDDF3CE442DB09
                                                                      Function 00007FFDF838E287 Relevance: 5.1, APIs: 4, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID:
                                                                      • API String ID: 1294909896-0
                                                                      • Opcode ID: 05ce5c065f4c796d26c9daa8c23db6bb4b619a5d48ec43a01a90745c76785baf
                                                                      • Instruction ID: 8abce13e98963b067cc5b175244a3431e50e28e0c92a732958dc50c3b9803d04
                                                                      • Opcode Fuzzy Hash: 05ce5c065f4c796d26c9daa8c23db6bb4b619a5d48ec43a01a90745c76785baf
                                                                      • Instruction Fuzzy Hash: C4317123B0C79283EB54AA54A06093E63D4FB45790F588A30EABD876EDDF3CE441D709
                                                                      Function 00007FFDF838D89C Relevance: 5.0, APIs: 4, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID:
                                                                      • API String ID: 1294909896-0
                                                                      • Opcode ID: 4addda8d4d7037b7c6ca38a03c5f450fb2e050c6e917725dc798e4dc70ffb721
                                                                      • Instruction ID: f0fdd1ac03ccba0751fd1e733ef418914a3903eca2ffbad76b448f5735811799
                                                                      • Opcode Fuzzy Hash: 4addda8d4d7037b7c6ca38a03c5f450fb2e050c6e917725dc798e4dc70ffb721
                                                                      • Instruction Fuzzy Hash: 8A017C53B18A4683E311BAA5942063A5790BB80B94F6C4131EE7D8B7F9DF3CD845A70A
                                                                      Function 00007FFDF838E0B4 Relevance: 5.0, APIs: 4, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID:
                                                                      • API String ID: 1294909896-0
                                                                      • Opcode ID: eaba686e118ae73316f0922a742dcf99a3ad1e28c8ba5e0da3c889a609ea1a46
                                                                      • Instruction ID: e6f6f3e16347f2b4451e223840c0861494f1b186ebc75affdde8621aa1aa82a7
                                                                      • Opcode Fuzzy Hash: eaba686e118ae73316f0922a742dcf99a3ad1e28c8ba5e0da3c889a609ea1a46
                                                                      • Instruction Fuzzy Hash: 3201A192B0850343F764BAA6847063A56817F80B94F284630EA3EC73F9DF7CE505A649
                                                                      Function 00007FFDF838D2BF Relevance: 5.0, APIs: 4, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2447955860.00007FFDF8381000.00000020.00000001.01000000.0000003D.sdmp, Offset: 00007FFDF8380000, based on PE: true
                                                                      • Associated: 0000000D.00000002.2447927128.00007FFDF8380000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448026961.00007FFDF83B4000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448107305.00007FFDF83DC000.00000004.00000001.01000000.0000003D.sdmpDownload File
                                                                      • Associated: 0000000D.00000002.2448163958.00007FFDF83DD000.00000002.00000001.01000000.0000003D.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ffdf8380000_DouWan.jbxd
                                                                      Similarity
                                                                      • API ID: free
                                                                      • String ID:
                                                                      • API String ID: 1294909896-0
                                                                      • Opcode ID: 0780941cd178e0dbc9d36138ea6686ae008bf39a636fd38cc69d2a1fd3dedf75
                                                                      • Instruction ID: 37b778315aceca8ef7ec0077b66579c95838642c37a94992d87530157bc4ce9b
                                                                      • Opcode Fuzzy Hash: 0780941cd178e0dbc9d36138ea6686ae008bf39a636fd38cc69d2a1fd3dedf75
                                                                      • Instruction Fuzzy Hash: AE014452B0C64743FB64AA95947067A56D0AB80784F0C8031DE7EC77FDDF6CD50AA70A